lock unsuccessful attempt

AndreF

I want to lock login attempt for 60 minutes after 3 unsuccessful login attempt.
how can I do it?

NogDog

Add two columns to the user data table for a failed attempt counter and last login date/time. On an unsuccessful login, increment the counter and save the current date/time. On a successful login, if the counter >= 3 and date/time + 60min <= now(), then do not log them in and display an error, else reset the counter to 0 and let them in.

MarkR

Are you going to do that based on account, or client IP address? Think about it carefully as either approach could result in potential denial of service to legitimate users.

Mark

bradmasterx

(EDITIED BIT)
I have just thought you could just has a logins table, and has login times and if it was successfull or not and if NO within the last 3 times tried using "LIMIT 3" and if ne of them equal failed then set the user table where you might want an other feild called disableTime and have it set to the time in 60mins.
you could improve further
(EDITIED BIT)
there is always a way arround:
cookies : delete cookies
ip : change ip with myIpChaner
session: restart browser
there the only way i know to set the timeout but there are ways arround.

AndreF

Bradmasterx:

I don't think the tricks you said will work with NogDog method as this is per user account and not by ip, cookie and sesion. will it work to trick it?

AndreF

NogDog:

so after 60 minutes, if this is still unsuccessful should I update counter from 3 to 1 or just increment it to 4?

NogDog

AndreF wrote:
NogDog:

so after 60 minutes, if this is still unsuccessful should I update counter from 3 to 1 or just increment it to 4?

I guess it depends on whether you want to disable based on there being 3 consecutive failures within the last 60 minutes (reset to 1), or 3 consecutive failures with the last one being no more than 60 minutes ago (reset to 4). If the latter, to be as robust as possible you might want to just set it to 3 again, just in case some robot script or such would run enough failed attempts to overflow whatever the max amount is for that field. (You could use MIN(3, failures + 1) for the value so that it's never more than 3.)