8 replies to this topic

[joe]

hi... it's me again...

i hava a question about how to limit user login, if user always fail to login. I mean, i want to limited user attempt to login 3 times after that user can login again after 15 minutes.
this is my source :
<?
if($submit)
{
$name=$_POST["name"];
$pass=$_POST{"pass"];

$query=mysql_query("select * from user where name='$name' and pass='$pass'";
$data=mysql_fetch_array($query);
if($data)
{
$_SESSION['name']=$name;
$_SESSION ['pass']=$pass;
header("Location:index.php");
}
else
{
echo "Sorry, about this problem....";
}
}
else
{
header("Location:login.html");
}
?.>

what should i add to my source code to limited user attempt login ??
sorry about my english

thanx b4...

[Mr. Matt]

Might want to get the code right before you dive into do this

<?
if($submit)
{
$name=$_POST["name"];
$pass=$_POST["pass"];

$query=mysql_query("select * from user where name='$name' and pass='$pass'";
$data=mysql_fetch_array($query);
if($data)
{
session_register("name");
session_register("pass");
$_SESSION['name']=$name;
$_SESSION ['pass']=$pass;
header("Location:index.php");
}
else
{
echo "Sorry, about this problem....";
}
}
else
{
header("Location:login.html");
}
?>

and if your login page is .html that also wont work as it needs to be .php.

Now about the login attempts.

Make a new column in the table users saying failed_login and set it to an int. In the code when they fail to login because the username and password dont match you need a query to add one to that value. Lastly you need an if statement after the data has been pulled out checking that the user_failed is less then 3 and so on. But un-lock after 15 mins, you would need a cron job i think to do that.

Thats the best i can do for you atm due to a sleepless night and i am feeling like crap at the moment.

Matt

Edited by deadly, 26 May 2006 - 03:58 AM.

[Matthew.]

Hmm, deadly's way would work however cron jobs arent really needed.

1: set a cookie to stop the user logging in, set it for 15 mins. (dont do this).

2: (the way i would do it) create a new field as deadly said, something like login_failed and when the user enters the wrong login 3 times, added a timestamp to the field. Then check the timestampt against the current when the user tries to login.

This is better than the cookie method as cookies can be erased. This way there is no way the account could be logged into.

[Indigo]

What I would have done is something like this:

When the user inputs wrong information, set a session to 1, if he/she inputs wrong information two times, set a session to 2, etc, and then redirect to the loginform.

Then do this:
if(session value = 3) { echo "You're not allowed to log in"; }
else { //display form }

This might not be a clever way doing it, does anybody think this is really stupid?

[Av-]

as for the 3 attempts, set a hidden field, and make the value +1 every time the user submits the form

<?php
if($_POST['submit']){
$value = $_POST['value'] + 1;
if($value => 3){
// setcookie and redirect to error page
} else {
// check login
}
} else {
// display form
echo '<input type="hidden" value="'.$value.'">';
}
?>

Edited by Avalanche, 26 May 2006 - 06:42 AM.

[joe]

ok, i'll try...
i make a conclusion like this (from what i read and understand):
1. add a column session failed attempt in my database
2. create a session in my field form that note attempt of user failed login
3. dont use .html paga

this right isn't ? all try, and if i had trouble, i'll posted !!!
thank all folks....

[Matthew.]

no,. nooooooo lol.

Ok first Indigo. Dont use sessions, you would simply close the bowser and the session is gone.

Avalanche, again no as hidden fields can be easily changed using javascript from the browser. Anyone with a braincell of 2 can google javascript injection and can simply change the hidden field to a good value.

Edited by .Matt, 26 May 2006 - 12:18 PM.

[Indigo]

Well, you're right .Matt, but... What harm can it make, if he can't get in 3 tries, and has to close his browser all the time... Well, I'd for sure give up, but I'm lazy as hell too
But your way is probably the best, so I won't argue with you, and rather code it like that myself.

[Matthew.]

Theres nothing wrong with your way, dont get me wrong.

Just if you want something completly fool proof then its not great

Edited by .Matt, 27 May 2006 - 09:14 AM.