All geek questions in one place

I don't understand the behavior of PHP sleep ()

I have this form:

<form method="post" action="secret.php"> <label for="pw">Password: </label><input type="password" name="pw" id="pw" /> </form>

This is secret.php:

 <?php if(isset($_POST["pw"])) { if($_POST["pw"] == "hello") { echo("<strong>Good pw.</strong><br />"); } else { echo("<strong>Bad pw.</strong><br />"); echo("<a href=\"form.php\">Back</a>"); sleep(5); } } else { header("Location: /tut/first/form.php"); } ?>

It happens that if the password is incorrect, it sleeps before displaying Bad pw. When I submit the form, it sleeps 5 seconds on the form page , and then changes the page and displays Bad pw. Why?

+4
source share
3 answers

What happens is that you call the PHP script to sleep. The script must complete before it sends the result back to the client (browser). * Thus, you call the script for 5 seconds before it tells the client that it is not a good password.

Since you are not trying to avoid brute force situations, I would suggest something like this:

 <?php if(isset($_POST["pw"])) { if($_POST["pw"] == "hello") { echo("<strong>Good pw.</strong><br />"); } else { echo("<strong>Bad pw.</strong><br />"); echo("<script type=\"text/javascript\">"); echo ("setTimeout(function() {"); echo ("window.location = form.php;"); //might need a more complete URL here echo ("}, 5)"); //sleep for 5 seconds before redirecting echo("</script>"); sleep(5); } } else { header("Location: /tut/first/form.php"); } ?>

* The output is indeed sent back because it is written in a PHP script, but with buffering you do not see that it matters a lot, except for the headers and very large pages.

+4
source

You need to look into output buffering, although from what I see, the logic is wrong.

This can help

0
source

If you want to immediately respond to the browser, try flush() when you want to dump the output buffer into the browser. In addition, you may need to disable compression (e.g. gzip), which may affect output buffering.

However, taking this into account, you completely disagree about this. All the user has to do is open another tab / update and the server will check the login details again, so sleep() will not have the effect that you think will be.

I really developed something similar to this, and this is what I did:

Create a database table called fail_logins and the other called login_bans, and both are based on IP address. Each time the user provides incorrect information, add an entry to the failed_logins table. What you want to do is specify it so that after the first login the user is blocked for 5 seconds, after the second it lasts up to 15 seconds and 3 or more for a certain period of time (for example, 2 hours) the user is prohibited for 45 seconds . All this is done on the server side, so the user can not do anything to circumvent the ban. Therefore, you will have to check your IP address every time they access the page to see if their IP address is denied.

Then, on the client side, a countdown timer will be displayed containing the number of seconds remaining in the ban, and disable the submit button.

0
source

Source: https://habr.com/ru/post/1483852/

More articles:


All Articles