to stop hacker from login

samcentury

i am working on online payment site. i have to do following things. i have to make the site hackerproof

1) if the hacker enters wrong password for the 3 times then he can not login.

2)he should be disabled for the next 15 days.

For that i have disabled the login button if he enters wrong password for 3 times.

Now the problem is when the hacker enters wrong password for the 3 times then login button will be disabled for the 15 days and it appeares disabled in all the browsers. i dnt want that.

i create a session variable $_SESSION['count'] and increment it on every login when it becomes three the login button gets disabled and all the information about hacker like ip address of his machine, date/time when he logged in, and no of count is stored in database.

now my problem once the login button is disabled it remains disabled in all browsers for 15 days.

PLz help me. i m trying this from last 2 days. Below is the coding

session_start();
//$sessID = session_id();
//$SESSION['password']=$data['AdminPassword'];
//$SESSION['count'];
//echo "count=".$_SESSION['count'];

$data['PageName']='SYSTEM ADMINISTRATOR LOGIN';

$data['PageFile']='login';

$data['HideMenu']=true;

###############################################################################

include('../config.htm');

###############################################################################

if($post['send']){

if($data['AdminCheckIp']&&($data['Addr']!=$data['AdminIpAddress'])){

	$data['Error']='You do not have any rights to use this admin area.';

}elseif(!$post['username']){

	$data['Error']='Your username can not be empty.';

}elseif(!$post['password']){

	$data['Error']='Your password can not be empty.';

}elseif(

	$post['username']!=$data['AdminUsername']

	||

	$post['password']!=$data['AdminPassword'] 

){

	$data['Error']='Wrong administrator username or password.';


}elseif($data['UseTuringNumber']&&

	(!$post['turing']||strtoupper($post['turing'])!=$_SESSION['turing'])

){

	$data['Error']='Please enter valid turing number.';

}else{

	if($data['UseTuringNumber'])unset($_SESSION['turing']);

	$_SESSION['adm_login']=true;

	header("Location:{$data['Admins']}/index.htm");

	echo('ACCESS DENIED.');

	exit;

}

}

###############################################################################

if($data['UseTuringNumber'])$_SESSION['turing']=gencode();

###############################################################################

display('admins');

###############################################################################

template.login.htm

<?if(isset($data['ScriptLoaded'])){

session_start();

$_SESSION['count'];

$_SESSION['count']++;
$_SESSION['count'];

###################to disabled user if entered wrong password more than 3 times #####################

$today_date = date("Y-m-d h:i:s");
$days_to_add = 15;

$my_time = strtotime ($today_date); //converts date string to UNIX timestamp

$timestamp = $my_time + ($days_to_add * 86400)."<br>"; //calculates # of days passed ($num_days) * # seconds in a day (86400)
$future_date = date("Y-m-d h:i:s",$timestamp);  //puts the UNIX timestamp back into string format

$query = "SELECT * FROM admin_session WHERE date = ( select max(date) from admin_session )";
$result = mysql_query($query) or die("Select Error:".mysql_error());
$row = mysql_fetch_object($result);

$ip_add = $row->IP;
$date_db = $row->date;
$future_date_db = $row->future_date;

###########################################################################################

?><center><form method=post><table class=frame width=300 border=0 cellspacing=1 cellpadding=4><tr><td class=capl colspan=2>SYSTEM ADMINISTRATOR LOGIN</td></tr><?if($data['Error']){?><tr><td colspan=2 class=error><?=$data['Error']?></td></tr><?}?><tr bgcolor=#EEEEEE><td class=field align=right valign=top nowrap>Username:</td><td width=200><input type=text name=username size=30 maxlength=128 value="<?=$post['username']?>"></td></tr><tr bgcolor=#EEEEEE><td class=field align=right valign=top nowrap>Password:</td><td><input type=password name=password size=30 maxlength=128 value="<?=$post['password']?>"></td></tr><?if($data['UseTuringNumber']){?><tr><td class=field align=right valign=top nowrap>Turing Number:</td><td class=justify bgcolor=#EEEEEE valign=top><img class=turing src="<?=$data['Host']?>/turing.htm" width=78 height=15 border=1 align=absmiddle> <input type=text name=turing size=16 maxlength=32></td></tr><?}?><tr><td colspan=2 align=center bgcolor=#CCCCCC>

if($_SESSION['count'] > 3 || (($ip_add) && ($today_date < $future_date_db))){?>
<input type=submit disabled class=submit name=send value="LOGIN NOW!">
<?}else{?>
<input type=submit class=submit name=send value="LOGIN NOW!">
<? } ?>
</td></tr></table></form></center><?}else{?>SECURITY ALERT: Access Denied<?}?>
<?

###################to check whether user entered wrong password more than 3 times #####################

if($_SESSION['count'] > 3)
{
$date_time = date("Y-m-d h:i:s");

$sql = "INSERT INTO `admin_session` (`count` , `IP` , `date`, `future_date`) VALUES ('$_SESSION[count]', '$_SERVER[REMOTE_ADDR]', '$date_time', '$future_date')";

	$result = mysql_query($sql) or die("Insert Error:".mysql_error());


unset($_SESSION['count']);
//session_destroy();

}

###########################################################################################

greenie2600

Your scheme won't work.

Disabling the login button doesn't stop someone from posting data to your server. A cracker could just save the HTML for the login page, re-enable the button, and try logging in as many times as they like - or just write a script to automatically post login attempts to your server.

Any security measure that relies on the client to behave a certain way is, by definition, not secure - because the client might not behave that way. If you want to deny access after three failed attempts, you need to write your server-side code to refuse login attempts, not write your client-side code to disable the login button. Just because you provided certain client-side code doesn't mean someone has to use that code.

There's a second problem, too. Since your system tracks login failures by session, all a cracker would have to do to bypass it would be to get a new session ID - e.g., by closing the browser and opening a new one, or deleting their cookies.

Track failed login attempts by IP, not session, and store this data in the database, not session variables.

void_function

I agree with Greenie. Better track the user through server-side database, have a login_attempt table or something and track each attempt with a timestamp and perhaps IP. That way you can have more control. You can also have a table tracking these temporary login bans, with ID, timestamp and ID of the banned user.

In my user tables, I always keep an "status" field. If user does something wrong or temporarily account suspension is required, I change the value of that field, and all my security-sensitive scripts (login, manage content, etc) check this.

notset

http://phpbuilder.com/board/showpost.php?p=10755361&postcount=8