Limit failed logins attempts
in [General]
|
From: Peter Lind on 9 Aug 2010 09:24 On 9 August 2010 15:10, Richard Quadling <rquadling(a)gmail.com> wrote: > On 9 August 2010 14:04, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: >> 2010/8/9 Richard Quadling <rquadling(a)gmail.com>: >>> On 9 August 2010 13:30, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: >>>> I thought that might be a good idea, to define a session variable >>>> called ( failedattempts ), then check and if $failedattempts is >>>> greater than, suppose, 4 ... >>> >>> As sessions are connected to a request through a session cookie, >>> putting the failed attempts in the session for checking later is a bad >>> idea. A script attempting to crack your security will most likely NOT >>> be using cookies. So each request, all the many millions of them, will >>> seem to be clean/virgin requests, not multiple attempts. Each request >>> will create a blank new session with 0 previous attempts. >> >> Good point. Thanks. >> >> So, what should I use instead of sessions to check this ?. >> >> Juan >> > > You could suspend the account after 3 bad logins. Nice and simple. A > "FailedLoginsSinceLastLogin" counter against the account in the DB > should be enough. If that exceeds your limit, then they can't login. > They will have to re-authenticate in some other way. When that is > successful, then the value can be cleared. That allows locking out users at random by knowing the username - not a very good solution. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> |