i want to limit the connection attampts to my admin panel,
and i cant find resenable way.
coockies - useless, can be beat by fire wall
sesion - time limits me
i thught to do it with database and handel the ip of the connecter.
but i dont know how to do it =\
*and i will be more then happy to get more sejustions about secure pages.
fishown;10886468 wrote:i want to limit the connection attampts to my admin panel,
and i cant find resenable way.coockies - useless, can be beat by fire wall
sesion - time limits me
i thught to do it with database and handel the ip of the connecter.
but i dont know how to do it =\*and i will be more then happy to get more sejustions about secure pages.
Not sure what you mean about cookies being beat by firewalls, you can just opt to turn off cookies in your browser.
However, if you are using any kind of http authentication for keeping state, you will need to use cookies. Even sessions use cookies. (Ok, you could pass a token in the url, however this is even less secure because urls are very portable and much more visible than say a cookie token in an http header.) Cookies are less secure than sessions because if you store information about the user state in a cookie, it is easily tampered with--since the point of cookies is to store information within the users web browser. Sessions simply store a token in a cookie that refers to information server-side. This is probably the best way, but in your context, a hacker simply needs to refuse cookies and no information about connection attempts can be stored server-side because subsequent requests will not return the session cookie (and the hacker goes on brute force attacking your panel login.)
Now your post appears to be about brute force login attempts. Unfortunately, there is no perfect way to do this in PHP. I think your ip address caching idea is the best method however. Sure, you can spoof an ip address but how will you know if your attempt was successful if the return path goes out into the ether? One idea comes to mind though. If your panel auth is session based (it probably is) an attacker could post from a spoofed ip address with a made-up session id (dunno if php will accept that) and just check a session protected url for change using his or her real ip. This is probably unlikely, so...
You can get the real ip of a remote host via the global variable $_SERVER['REMOTE_ADDR']. Now, with this in mind, some remote hosts will be using a proxy. You probably don't want to be blocking all aol users for example. Many (most) proxy servers pass the real ip address in another header. To avoid going on about this, this function has been very useful to me:
<?php
function getRemoteAddr()
{
$ip = "0.0.0.0";
if ( isset($_SERVER['HTTP_CLIENT_IP']) && !empty($_SERVER['HTTP_CLIENT_IP']) ) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif ( isset($_SERVER['REMOTE_ADDR']) && !empty($_SERVER['REMOTE_ADDR']) ) {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
?>You can store that information in a table with a timestamp for each attempt with a simple insert statement. Then, say you'll only allow 10 logins per hour you could query like:
SELECT COUNT(*) FROM tbl_name WHERE ip_adress_col = '{insert remote ip address}' AND DATE_SUB(CURDATE(),INTERVAL 1 HOUR) <= date_col; If the count returned value is over 10, just make the script die or give a friendly "sorry" message.
by the time you answerd, i almos figured it all out.
thank you for the proxy information, i dident know that.
i will change my code from the last code and will use this function, thanks mate.
and thanks for the sql query.
helped me alot.