need suggestions for best methods regarding user authentication class

[slushpuppie]

okay, so i've written user authentication snippets a lot, and i'm finally taking the time to create a nice class that i can reuse on different projects. just looking for a little advice about a method before i start the coding.

 

the area i need input on is regarding blocking/timing out. i want to be able to block a person from just trying usernames/passwords over and over again - basically you get X tries to login or else you're blocked for Y minutes. i'm trying to figure out the best way to do this. i know i could track if a username has a certain number of failed password entries, and then block that user, but what about the instance where the username isn't in the database(like someone is trying to find a username)? in that case i think i'd just have to block them using session variables right? i can't very well block their IP for a time period, because people may share IP's, or agent info, etc...

 

also, what about supplying different error messages based on logins? in the past i have always supplied a generic "username/password combination not found", so you don't know what you got wrong... but if i was blocking certain usernames explicitly(by a mysql tinyint or something) i'd probably need to let them know that THEIR account was blocked for Y minutes... which would mean i'd need to supply a different message, which would let them know that the username was in the database...

 

any suggestions? i don't need coding help, as i've written cases like these many times, i'm just looking for the best approach.

 

thanks in advance!

[koen]

i know i could track if a username has a certain number of failed password entries, and then block that user

 

That would mean I'd try to log in your account and after a number of failed attempts you and I are both blocked from loggin in? I'd say only block the visitor who's trying to log in.

[Xeoncross]

One thing (not the only thing though) is I would block useragent/ip combo for 5min(?). I would record that combo, and the attempts made by ANY browser from that IP for a certain account. I.E. 5 tries from 127.0.0.1/firefox 1.8 shows something is wrong.

 

You can't block by cookies/sessions because they just clear their browser (or don't use them at all if it is a bot).

 

I would also MAKE SURE to use a captch in the form to keep it real people.

[slushpuppie]

xeoncross,

okay, that's along the lines of what i was thinking initially, my only hesitation about blocking the user_agent/ip combo would be some type of office setting where everyone sits on the same ip and are forced to use the same browser/operating system/etc and would have the same agent/ip values.

 

thanks,

greg titcomb

[Xeoncross]

Personally, I don't worry about random people sitting at my login page trying to guess random usernames/passwords. That kind of stuff is left to bots almost all the time. So whatever you do, make sure that you have a captch image.

 

As for the office, you can either play it paranoid and just hope that 3 different emplees (all on IE) don't all try (and fail) to access there accounts on your site within 4mins of each other (slim chance).

 

OR

 

You could actually just leave it at that and then store the username/pass attempts, IP's, broswers, and times and just write a simple PHP script that alerts you whenever lets say, 8+ matching ip/broswer/etc are used within 20min. That way if you ever got a weird person that actually sat at your login trying it out - you would have the info to track them/ban them.

 

Both of these should work fine until you can figure out something better.

[nadeemshafi9]

OOOOOOOOOO i just made a killa one - use the current session id as a password for your rember me store it in the db and later on you can add the ip aswell for further security to make cookies safe.

 

anyways make a login authenticate and userIsGroup funcs ur done son.

 

i wouldent giv u too much help things cost money u know

[nadeemshafi9]

your question - answer - store the amount of times that user has authenticated and then block that username by storing a time in thye blocked feild, now your login script shouldent let anyone with a time in the blocked feild + Y mins log in

[nadeemshafi9]

if((now - Y) < blocked_in_db_time ) dont login

[deadonarrival]

"As for the office, you can either play it paranoid and just hope that 3 different emplees (all on IE) don't all try (and fail) to access there accounts on your site within 4mins of each other (slim chance)."

 

Works as long as your website is small and obscure, or specific to a topic - eg PHPfreaks could use this logic, not much chance of 2 people in the same office wanting the site at the same time... but what about if you become facebook/gmail sized, and everyone uses your services (which is, after all, the aim of the game!).

 

Suddenly several people using your service from one location doesn't seem so unlikely... and remember that people often learn about websites from those at work - so they might see a site, then go try it.