Limit the number of failed login attempts

ceanderson

Can anybody help me. I am a new comer to php. I run http://canderson.crossvilletnscv.com/ and I would like to make the login form so that you can only have so many failed login attempts.

For example, I would like to make it so that if you fail to login correctly after 5 attempts, you won't be able to for 10 minutes.

If anybody knows how I could do this, please let me know.

big_nerd

ceanderson,

Although I have never done this, here is a thought...

If your site has relatively low-volume, you can have it save the failed login attempt in a Database (with the timestamp).

If you are using sessions, just save the number of attempts, once it reaches 5, save the login name in the DB, with a timestamp.

Additioanlly, if they close their browser, or log whatever, it will not allow logins from that the login name, or however you would like to limit it)

Once they successfully log in, or if they attempt again (after the 10 minutes) just delete the previously stored record (to prevent it from getting too bulky with junk data).

Although I am extremely sure there is a much better way to do it, in theory, this should work.

Piranha

There is an easier way. In the login table in the database (wherever you have username and password) add two columns, failed_login_attempts and last_failed_login. The pesudocode for login should then be something like this:

$login = "SELECT failed_login_attempts, last_failed_login FROM login WHERE username = 'something' AND password = 'somethig'";
if (row is not returned)
    wrong username or password
    set failed_login_attempts = failed_login_attempts + 1 AND last_failed_login = NOW() // You might want to reset failed_login_attempts if it was more than 10 minutes since the last login
elseif (failed_login_attempts > 5 && last_failed_login > (NOW - 10 minutes))
    to many failed login attempts
else // login is correct
    set failed_login_attempts = 0
    do whatever else you want to do