All geek questions in one place

Limiting login attempts regardless of user?

I have a login system requiring a username and password. I want to display captcha after a certain number of failed login attempts. What is the correct way to implement this? I read about it on this site, and some solutions suggest the presence of "unsuccessful attempts-counts" added to the user table. However, I need unsuccessful attempts to not be attached to a specific user - that is, I would like the image to be displayed regardless of whether the entered user name was in the system. Will this be stored in the session variable in order (I use PHP)? If so, is there not a shortage of simply throwing data into session variables as necessary? I already have a session identifier for each visitor on the site (either logged in or not),so that I can create a table that links attempts to enter this session identifier ... any ideas on what is the best / safest approach? Thanks.

Update: from the answers so far, it seems that the session identifier is not the best idea, since the hacker can just clear his cache (but is this really a problem because it will not slow down the brute force of the attack enough to make it useless?). Another option is by IP ... but I can’t decide for users on the intranet or proxy, as unsuccessful attempts will be common .... I can’t think of any other methods ... you?

+3
source share
5 answers

The danger of using a session identifier is that someone who writes a brute force attack can simply clear his cookies on every attempt and thereby give him a new session.

, , cookie, .

- IP- . , -. , .

: , . . cookie - , ( , ). , , cookie.

+6

, , ( , , reset ) .

+1

IP Time. , IP-, captcha.

+1

APC http://www.php.net/apc memcache (d) http://www.php.net/memcache http://www.php.net/memcached (memcache memcached, . http://www.danga.com/memcached/), IP- - (5 , 30 ..)..). , ( ) .

APC:

$max_attempts = 5;  // max attempts before captcha
$attempts = apc_fetch('login_attempts_'.$ip));
if($attempts and $attempts>$max_attempts){
    // block code here or redirect, captcha etc... also suggest a short sleep time to delay answer, slow down bot
}else{
    // check login here, run next code if login fails
    if($login_failed){
        if(!$attempts){
            apc_store('login_attempts_'.$ip,1,$timeout);
        }else{
            // function NOT currently documented on php.net, increments number stored in key
            apc_inc('login_attempts_'.$ip);
        }
    }
}

, ...

+1

, , - IP-. cookie, , , cookie (.. curl). , , ​​ , ajax , . , IP-, ( ).

0

Source: https://habr.com/ru/post/1714042/

More articles:


All Articles