Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jul 2009
    Location
    Chicago, IL
    Posts
    169
    Thanks
    26
    Thanked 3 Times in 3 Posts

    Preventing Login Attacks

    I am just going to re-write this post. What is the best way to prevent a user from trying to login many times. Keeping track of it in a database seems to be the best way to do that, but I have no idea which information I should be storing in the database to keep track of the number of login attempts by a user. Should I try keeping track of ip addresses that attempt login attacks ie more than 5 attempts in a short period of time? Obviously the problem with that one is that a smart user could use multiple IP addresses to attack from.

    What are your ideas?

    Thanks.
    Last edited by wldrumstcs; 10-13-2009 at 08:54 PM.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,066
    Thanks
    2
    Thanked 319 Times in 311 Posts
    Since that is pseudo code, it will be a little hard to help you debug what is wrong with your actual code.

    However, you cannot store the failed attempt count or the information about the 60 delay using session variables because all someone would need to do is drop the current session id, then attempt to log in again and they will get a fresh set of attempts. You must store the failed attempt count and any information about the delay time in a database table.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Regular Coder
    Join Date
    Jul 2009
    Location
    Chicago, IL
    Posts
    169
    Thanks
    26
    Thanked 3 Times in 3 Posts
    I could do that. What kind of information should I be storing? I know that a very determine user could get around just about anything, but what info ie IP addresses etc would be useful for keeping track of a user's attempts? After a successful login, would I just wipe out their entries in my "repeated login" DB?

    Thanks!

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,066
    Thanks
    2
    Thanked 319 Times in 311 Posts
    What kind of information should I be storing?
    The same thing you are using session variables to store now, the failed count and when the account is locked out, the date/time of the lockout.

    You simply add columns for these to the user table. At the point of doing a failed attempt count and timed account lockout, all you really care about is what someone is doing per username. If they attempt using multiple IP addresses, that does not matter. If they exceed the maximum failed attempt count for any username, it does not matter if each one came from a different ip address.

    If the correct username/password is entered, that should reset the failed attempt count and allow login (the real user either remembered his real information or someone else locked his account out and the real user logged in.)
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    Regular Coder
    Join Date
    Jul 2009
    Location
    Chicago, IL
    Posts
    169
    Thanks
    26
    Thanked 3 Times in 3 Posts
    The big issue I see with that approach is say my DB gets compromised -the attacker could repeatedly try to login on all the usernames, locking all of them out. I realize no way is 100% fool-proof, but there has to be a better way.

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by wldrumstcs View Post
    The big issue I see with that approach is say my DB gets compromised -the attacker could repeatedly try to login on all the usernames, locking all of them out. I realize no way is 100% fool-proof, but there has to be a better way.
    If that happens, does it really matter? They would have all the data stored on the site so they might not even need to login. If they wanted to and had write access, they could just change someone's password on the site and login.
    OracleGuy

  • #7
    Regular Coder
    Join Date
    Jul 2009
    Location
    Chicago, IL
    Posts
    169
    Thanks
    26
    Thanked 3 Times in 3 Posts
    Touche.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •