Re: locking user out after 3 incorrect attempts to log in
Thanks, Matt. I did download your code, and am about to wade through it now, although given my lack of CF knowledge, my chances of being able to decipher it are probably slim. :) But thanks for your help anyway. Christy :) [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: locking user out after 3 incorrect attempts to log in
Christy Carter wrote: >wouldn't "times_logged_on" track how many times the user has actually >logged in, not just tried to? Not if you reset your counter stuff to zero (or delete it or somesuch) after a successful login :-) I wrote a free tag that does this 3-strikes stuff (I use 4 strikes, as I mentioned), has a forgotten password thingie etc. CF_AccessMonger. Download it and claw thru it. Maybe there's something in there you can use. Cheers, Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: locking user out after 3 incorrect attempts to log in
Okay, I could be wrong because like I said, I'm very new to this - but wouldn't "times_logged_on" track how many times the user has actually logged in, not just tried to? I've tried to use "session.times_logged_on" but until the person successfully logs in, there's no actual session variable set. I'm half tempted to just forget about it altogether haha! Christy [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: locking user out after 3 incorrect attempts to log in
I would imagine you could do some thing like: On the login.cfm page Sorry too many attempts (or some other more nicely worded message) login form stuff here Doug Christy Carter wrote: >Thanks for all the replies, folks! > >Doug, I looked at that Coldcuts code you mentioned, but I have no clue where in my code to put it! I've tried several things but keep getting errors - VALUE is not a valid parameter, among others. Where would you suggest I place that code? Thank you for your help. :) > >We don't want to annoy people, but we want to give our new customers a sense of security. Irritating, but strangely comforting, as George said. :) I'm trying to find a happy balance between the two sides - perhaps 4 attempts to log in and then a 10-minute lockout, after which they can try again? > >I also realize it isn't foolproof - and that most computer-savvy people can just delete the cookies and move on. But we still want to put some sort of security in place. > >session.times_logged_on seems like a good option - can someone direct me as to where in my code I should put this stuff? I have two login pages - login.cfm (the page where you enter your username and password) and login_validate.cfm (where the user info is validated). > >Thank you!!! >Christy >:) > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: locking user out after 3 incorrect attempts to log in
Thanks for all the replies, folks! Doug, I looked at that Coldcuts code you mentioned, but I have no clue where in my code to put it! I've tried several things but keep getting errors - VALUE is not a valid parameter, among others. Where would you suggest I place that code? Thank you for your help. :) We don't want to annoy people, but we want to give our new customers a sense of security. Irritating, but strangely comforting, as George said. :) I'm trying to find a happy balance between the two sides - perhaps 4 attempts to log in and then a 10-minute lockout, after which they can try again? I also realize it isn't foolproof - and that most computer-savvy people can just delete the cookies and move on. But we still want to put some sort of security in place. session.times_logged_on seems like a good option - can someone direct me as to where in my code I should put this stuff? I have two login pages - login.cfm (the page where you enter your username and password) and login_validate.cfm (where the user info is validated). Thank you!!! Christy :) [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: locking user out after 3 incorrect attempts to log in
Yeah it is irritating, yet strangely comforting. I just went through that with my bank login. They have some database tracking that keeps an account of the number of times you try to log in. If the process to reactivate wasn't so darned convoluted, it would be an OK experience. George At 12:48 PM 6/15/2004, Casey C Cook wrote: >As log as it just kicks the user off the login screen I wouldnt mind. What >I really dislike is 3 failed attempts and you have to call a helpdesk or >send e-mail or whatever to have your account "reactivated" such that you >can try to login again. > >Casey Cook > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: locking user out after 3 incorrect attempts to log in
One option would be to lock the account at the database level. You mark the account as locked, and the date/time when the account was locked. The next time someone tries to login at that account, you can check the elapsed time between Now() and the lockTime, against a third value from the database (lockDuration or something like that). This would allow the account to effectively unlock itself after a given period of time. Brian - Original Message - From: Casey C Cook To: CF-Talk Sent: Tuesday, June 15, 2004 11:48 AM Subject: Re: locking user out after 3 incorrect attempts to log in As log as it just kicks the user off the login screen I wouldnt mind. What I really dislike is 3 failed attempts and you have to call a helpdesk or send e-mail or whatever to have your account "reactivated" such that you can try to login again. Casey Cook [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: locking user out after 3 incorrect attempts to log in
As log as it just kicks the user off the login screen I wouldnt mind. What I really dislike is 3 failed attempts and you have to call a helpdesk or send e-mail or whatever to have your account "reactivated" such that you can try to login again. Casey Cook [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: locking user out after 3 incorrect attempts to log in
You are right, deleting cookies just makes it go away, otherwise we are into the arena of banning ip addresses and with dynamic IP addresses being used normally that is outta the window! MD [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: locking user out after 3 incorrect attempts to log in
Granted that deleting cookies pretty much zaps session management, but... The trick to making this work right, I think, is making it successfully self-service. A user has to have enough retries to get it thru their thick skull that they forgot their password (I use 4 strikes). The lockout has to expire on its own (use session vars and a session timeout handles this nicely) and the "I forgot my password. Help me" link has to be plainly displayed and easy to use -- and also self-service. There's a whole 'nother topic right there. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166678---We built something like this into our default admin template that we base all of our client's admin / content management section off of. I decided that I did not want to lock the user out after 3 attempts and then force them to call us. So, I added an extra session var that tracks how many bad login attempts there have been for that user in the last 10 mins. If they try to log in a forth time they get a message to the effect of "Too many failed log in attempts, please try again in 10 mins." After 10 mins they can try three more times. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 _ From: G [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 8:53 AM To: CF-Talk Subject: Re: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:11 --- This is a bit of a tangent to this topic, but I'm curious whether I'm the only person out there who gets annoyed by systems that employ this technique. The system we built at my old dot.com company employed this technique, and it drove our clients crazy (which in turn drove us developers crazy). The idea, I assume, is that if someone is unsuccessful logging in three times in a row, they must not be a valid user. Its my experience that the VAST majority of the time, the person getting locked out is a valid user who made an innocent mistake trying to login. The 3 strikes and your out schema seems to be a bit outdated, and causes more harm (annoyance) than good. Just curious what you all thought about this. Brian From: Steve Nelson To: CF-Talk Sent: Tuesday, June 15, 2004 8:41 AM Subject: RE: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166657 --- Cookies are definitely not the only solution. This would make an interesting CF contest. Who ran that CF contest a couple months ago? Steve Nelson _ From: Pascal Peters [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 3:24 AM To: CF-Talk Subject: RE: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166613 --- I see you are using session vars, so I would recommend session.times_logged_on. But that aside, you have to realize that there is no way of really blocking more than x attempts to log in on a web app. All methods you can come up with will rely on cookies to track that and the user can manipulate those on his machine. If some site tells me I had too many attempts, I just delete the cookies for that site and happily continue logging in. Pascal > -Original Message- > From: Doug James [mailto:[EMAIL PROTECTED] > Sent: maandag 14 juni 2004 21:36 > To: CF-Talk > Subject: Re: locking user out after 3 incorrect attempts to log in > > Christy, Welcome to the wonderful world of CF, speaking for > everyone on the list we hope you enjoy it and will stay and > even recruit some friends. > > Regarding you problem, check out > http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291 > > Doug > > Christy wrote: _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:11---This is a bit of a tangent to this topic, but I'm curious whether I'm the only person out there who gets annoyed by systems that employ this technique. The system we built at my old dot.com company employed this technique, and it drove our clients crazy (which in turn drove us developers crazy). The idea, I assume, is that if someone is unsuccessful logging in three times in a row, they must not be a valid user. Its my experience that the VAST majority of the time, the person getting locked out is a valid user who made an innocent mistake trying to login. The 3 strikes and your out schema seems to be a bit outdated, and causes more harm (annoyance) than good. Just curious what you all thought about this. Brian From: Steve Nelson To: CF-Talk Sent: Tuesday, June 15, 2004 8:41 AM Subject: RE: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166657 --- Cookies are definitely not the only solution. This would make an interesting CF contest. Who ran that CF contest a couple months ago? Steve Nelson _ From: Pascal Peters [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 3:24 AM To: CF-Talk Subject: RE: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166613 --- I see you are using session vars, so I would recommend session.times_logged_on. But that aside, you have to realize that there is no way of really blocking more than x attempts to log in on a web app. All methods you can come up with will rely on cookies to track that and the user can manipulate those on his machine. If some site tells me I had too many attempts, I just delete the cookies for that site and happily continue logging in. Pascal > -Original Message- > From: Doug James [mailto:[EMAIL PROTECTED] > Sent: maandag 14 juni 2004 21:36 > To: CF-Talk > Subject: Re: locking user out after 3 incorrect attempts to log in > > Christy, Welcome to the wonderful world of CF, speaking for > everyone on the list we hope you enjoy it and will stay and > even recruit some friends. > > Regarding you problem, check out > http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291 > > Doug > > Christy wrote: _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166657---Cookies are definitely not the only solution. This would make an interesting CF contest. Who ran that CF contest a couple months ago? Steve Nelson _ From: Pascal Peters [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 3:24 AM To: CF-Talk Subject: RE: locking user out after 3 incorrect attempts to log in Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166613 --- I see you are using session vars, so I would recommend session.times_logged_on. But that aside, you have to realize that there is no way of really blocking more than x attempts to log in on a web app. All methods you can come up with will rely on cookies to track that and the user can manipulate those on his machine. If some site tells me I had too many attempts, I just delete the cookies for that site and happily continue logging in. Pascal > -Original Message- > From: Doug James [mailto:[EMAIL PROTECTED] > Sent: maandag 14 juni 2004 21:36 > To: CF-Talk > Subject: Re: locking user out after 3 incorrect attempts to log in > > Christy, Welcome to the wonderful world of CF, speaking for > everyone on the list we hope you enjoy it and will stay and > even recruit some friends. > > Regarding you problem, check out > http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291 > > Doug > > Christy wrote: _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166613---I see you are using session vars, so I would recommend session.times_logged_on. But that aside, you have to realize that there is no way of really blocking more than x attempts to log in on a web app. All methods you can come up with will rely on cookies to track that and the user can manipulate those on his machine. If some site tells me I had too many attempts, I just delete the cookies for that site and happily continue logging in. Pascal > -Original Message- > From: Doug James [mailto:[EMAIL PROTECTED] > Sent: maandag 14 juni 2004 21:36 > To: CF-Talk > Subject: Re: locking user out after 3 incorrect attempts to log in > > Christy, Welcome to the wonderful world of CF, speaking for > everyone on the list we hope you enjoy it and will stay and > even recruit some friends. > > Regarding you problem, check out > http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291 > > Doug > > Christy wrote: [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: locking user out after 3 incorrect attempts to log in
Christy, Welcome to the wonderful world of CF, speaking for everyone on the list we hope you enjoy it and will stay and even recruit some friends. Regarding you problem, check out http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291 Doug Christy wrote: >I'm taking over a CF application that somebody else >wrote, and I'm very new to it. I've been able to make >a few of the necessary changes, but now I'm stumped. > >I want to be able to lock the user out after 3 >incorrect attempts to log in. I have the following >code - first is the code to handle incorrect usernames >and passwords, then is the session info that is set >when the user logs in. Do I need to add code in here >somewhere to display a message after 3 attempts to log >in? > >Thanks! > > >You must provide a username! > > > > >You must provide a password! > > > >br> >There was a problem with that username and password! > > > > > >TYPE="Exclusive"> > > > > > > > > > > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
