All geek questions in one place

PHP password tries to block

I am wondering what is the best way to handle blocking computers after users have made 5 incorrect login attempts.

I thought this was done by IP, but then I started thinking about whether users are coming through the gateway and sharing a common IP address. I would not want to potentially block users of legitimate users, because someone on the same network is entering incorrect data.

Cookies are another option, but users can clear them from the browser, so I think they would be very inefficient.

Can anyone else give me more ideas on this?

Thanks Mic

+4
source share
2 answers

I will do something like:

If the user makes 5 incorrect login attempts:

  • Block users for 15 [xxx] minutes (so if he tries also, if the password is correct, it will not work)

  • Add a captcha control so that other users can log in without problems ...

I will do this by IP and Username ...

Just save the timestamp of the last failed attempt in the database, followed by the incremental value of the wrong attemps.

Then, if he tries to log in before a certain time (say 15 minutes) from the last wrong attempt and

  • incremental value is less than the maximum login attempt, just update the incremental value + 1 and the timestamp with a new timestamp

  • incremental value is equal to (or higher), you block the login attempt and increase the timestamp using the new timestamp

+1
source

You can use PEAR :: HTTP_FloodControl

<?php if ($login_not_successful) { require_once 'HTTP/FloodControl.php'; try { $ip = HTTP_FloodControl::getUserIP(); } catch (HTTP_FloodControl_Exception $e) { die($e); } try { $fc =& new HTTP_FloodControl(); $fc->setContainer('File', '/home/user1/logs'); $limits = array ( 10 => 10, // maximum 10 requests in 10 seconds 60 => 30, // maximum 30 requests in 60 seconds 300 => 50, // maximum 50 requests in 300 seconds 3600 => 200 // maximum 200 requests in 3600 seconds ); if (!$fc->check($limits, $ip)) { die('Too many requests. Please try later.'); } } catch (HTTP_FloodControl_Exception $e) { die($e); } } // Your login form ?>
+2
source

Source: https://habr.com/ru/post/1379478/

More articles:


All Articles