Login: three attempts

lucianoes

PHP's manual explains how to provide authentication and protect a page with login and password.

But how would you go about giving the user three chances to enter the right login/password combination before they get an error message?

Thank you,
Luciano ES
Santos, SP - Brasil

amcgrath

Pass a flag var keeping track of it... that sohuld work for ya...

fitzbean

Wouldnt the user be able to use the back button to get additonal chances?

lucianoes

I am not sure I understand what you mean.

Anyway, here is the code I am trying to use, which is not working:

/ $user_login and $user_pass are established earlier in the script. /

<?php

function login(&$count)
{
global $PHP_AUTH_USER, $PHP_AUTH_PW, $user_login, $user_pass, $count;

if (!isset ($PHP_AUTH_USER) )
{
header("WWW-Authenticate: Basic realm=\"$user\"");
header("HTTP/1.0 401 Unauthorized");
{print "Operation canceled\n";} exit;
}

else
{
if ( ($PHP_AUTH_USER == $user_login) && ($PHP_AUTH_PW == $user_pass) )
{$count = '4';}
else {print '<p>Login error. Access denied.</p>';}
unset ($PHP_AUTH_USER, $PHP_AUTH_PW); $count++;
}
}
}
// 
global $HTTP_REFERER;
if (preg_match ("/http:\/\/127.0.0.1\//", "$HTTP_REFERER") )
{$go_ahead = 'go_ahead';}
else {$count = 0; while ($count < 3) {login($count);} }

print "count = $count<br>"; // just to check if counter is working

if ($count <= 3) {die();}
else {$go_ahead = 'go_ahead';}

?>

Ideas?
Thank you,
Luciano ES
Santos, SP - Brasil

Anon

You might want to create a function that logs the number of auth attempts. You could place the number in a session variable or database or whatever. Here's the scheme:

step 1) user enters protected area
step 2)auth is tested in this order;
if($log_fail == 4) return false and send them to a "get lost" page;
then test userid/password data;
if(false) { increment $log_fail }
else { you're good to go }

This way, we check the status of $log_fail with each login attempt before checking the user data. Let me know if this helps

heyrad