I'm working on login script for a website and I need some orientation. My concern its about security..
There are 2 things involved, the login page and the login class, and I managed security as follows..
The form inside login.php has a token and when the user submit the form (target to "php_self"), I call the class and:
- validate the token
- check if user is not block
- check if password is correct with bcrypt.
- if login fails, stored the number of attempts and datetime of the last login for that user in the db
- if its the 2nd attempt, I put recaptcha within the form. The captcha is validated through jquery/ajax (for usability reasons), and validated again server-side in the class after submit (in case someone forces the ajax post call)..
- if the 5th attempt fail, that account is blocked for 10 minutes.
Do you see any security weakness?
I found one and don't know how to fix it.
If fails attempts is "x" and recaptcha is required, user can click "login page" link (not refresh), and find the form without recaptcha (as attempt is 0).. I could create a Session variable "attempt", but this one can be force as well as the ajax call, right?
thanks in advance for your help