From: Juan Rodriguez Monti > I would like to know what do you suggest to implement a limit for > failed login attempts. > > I thought that might be a good idea, to define a session variable > called ( failedattempts ), then check and if $failedattempts is > greater than, suppose, 4 write to a Database ( ip, username and > last-time-attempt ). If ater that, the user/bot tries again to login > unsuccessfully, then the system should ban that user & ip combination.
We have two columns in the user table, login_attempts and u_touch. The first is an integer, the second is a time stamp. The second is updated to now every time the user requests a page. Each time a login attempt fails, the first column is incremented. If the first column exceeds 3 when a new attempt is made, the previous time in the second must be more than 30 minutes old. The first column is reset to 0 on a successful login, or 1 on an unsuccessful attempt more than 30 minutes after the previous attempt. The error message is the same for all login failures, no matter what the cause. While logged in, if a page is requested with the value of u_touch more than ten minutes old, the user is automatically logged out. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
