Authentication and Cookie question.

Stinger51

Ok, so for my web site, I've got my authentication system set up, complete with password protection (via MySQL queries) and a session counter that tracks your login attempts (limited to 3, of course). After that, I send the user a cookie, that makes them wait -xx- minutes before they can try their login again.

Pretty standard stuff, I know.

Now, what if the smart ass just deletes the cookie? True, most casual users wouldn't have a clue here. But that's why I am asking you guys. 😃

Is there a better way to do this?

Thanks in advance.

dave420

If you're talking about someone randomly trying any username/password combo, then there's no way to protect against it better than a cookie, unfortunately.

If, however, you want to block users who've forgotten their password, or who are trying to crack another account, there is a better method. If you store the last login attempt in the database, you can check any login attempts against it, and if it is set (indicating it to be used), and if it's under X minutes old deny their login. Once successfully logged in, you can clear the date.

Reply if you need more info 😉

Stinger51

I don't understand how your method can stop the crackers, other than the cookie method I am using (which ain't much, as we know).

Could you please elaborate on your scheme?

Thanks in advance.