0

Possible Duplicate:
Preventing Brute Force Logins on Websites
Limiting user login attempts in PHP

I wanted to know what would be a best way to prevent brute forcing in a log in form. Meaning how can i save the number of tries and time limit? Would session be a good idea?

Thanks.

Community
  • 1
  • 1
SIL3NTCOD3R
  • 99
  • 2
  • 8
  • 1
    What have you tried? This is pretty general? If you want anything to last beyond page refresh, you'll need persistent storage. Obviously session is an example of that. – Jason McCreary Mar 10 '12 at 02:50

2 Answers2

2

You can automatically start a session for each person who hits your site. Then in the session variable, store the number of login attempts and if they are blocked, a time when they will be unlocked.

When processing the login, if the password and username does not match and the time limit has not expired and the number of tries has been exceeded, display a message to the user.

Your database table could look like this:

sessions
==========
id
num_tries //Number of login attemps
block_expires //If they are blocked, when they can be unblocked.

This approach assumes that the user will assume a session cookie. They can easily get around this by clearing their cookies.

In order to mitigate that some what, you can build some smarts into the process:

  • If the logins are coming from the same IP address AND the account they are trying to access does not change, then block the account (not the session!) for a set period of time.
F21
  • 28,366
  • 23
  • 91
  • 157
0

This is discussed here.

The consensus was that you can make an SQL table of failed attempts along with timestamps for each one. Then you would query that on a failed login and check the number of attempts and timestamps using cookies or querying every time.

Jon Egeland
  • 11,466
  • 7
  • 45
  • 62