-2

Possible Duplicate:
Limiting user login attempts in PHP

I'm trying to put some security in login to block user access after 3 failed attempts to login. For example, if a specific user attempts to login with wrong username or password 3 times, I should show the dialog or message that the user needs to try again after 10 minutes (as an example)

Than after 10 minutes, the user can login again with correct username and password.

How do I do that?

Community
  • 1
  • 1
melati
  • 167
  • 2
  • 5
  • 8
  • log their log in attempt, check the log to determine if they can or can not try again –  Dec 26 '12 at 04:00
  • you can do this by cookie or session .. just store status and increment on every failed login .. if reached to 3 block ..login for 10 minute or better option is ask to fill captcha .... like gmail and other does – NullPoiиteя Dec 26 '12 at 04:00
  • 3
    any one trying to hack the site would reset sessions\cookies every time; and unless a total amateur change ip to. –  Dec 26 '12 at 04:01
  • What have you tried? What hasn't worked? What research have you done to solve this problem? What common pitfalls exist in this scenario? – Charles Dec 26 '12 at 04:03

3 Answers3

1

The simplest way is using SESSION to store number of fail login, for each times user login use wrong username or password, increase your count. it like that:

if(isset($_SESSION['num_login_fail']))
{
  if($_SESSION['num_login_fail'] == 3)
   {
     if(time() - $_SESSION['last_login_time'] < 10*60*60 ) 
      {
         // alert to user wait for 10 minutes afer
          return; 
      }
      else
      {
        //after 10 minutes
         $_SESSION['num_login_fail'] = 0;
      }
   }      
}

$sucess = doLogin() // your check login function
if($success)
{
   $_SESSION['num_login_fail'] = 0;
   //your code here
}
else
{
 $_SESSION['num_login_fail'] ++;
 $_SESSION['last_login_time'] = time();
}

But, user can bypass it by turn off browser, then open again, all user's session wil be null. For more perfect , you can store num_login_fail and last_login_time in your database.

redwind
  • 161
  • 1
  • 13
0

You can use the $_SESSION var to save the number of attempts with the time attempted. This would work only if the user still has the same session (e.g, didn't close the browser). Use a cookie if you want it to persist. Use a db value of the IP if you don't want the user to be able to avoid this, but this would be a problem if its a NAT or such. You may want to block an IP after 3 attempts failed logged with a $_SESSION var

NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
MitziMeow
  • 635
  • 4
  • 13
0

In my opnion, Cookie or Session can solve your issue as well, but in my opinion, these ways are not perfect, especially if you are focus on secure. What will happened if user clear cookie ?

Phat H. VU
  • 2,350
  • 1
  • 21
  • 30
  • Hi Phat H. VU, as i said above, he can store number of fail login and last time login into db, then check it every time user login. – redwind Dec 26 '12 at 04:17
  • 1
    Yes, thanks for your comment. In this case, the performance should be considered. I wonder the scope of project which login page is applied. We can use Session or Cookie as well if it's not big. – Phat H. VU Dec 26 '12 at 04:33