PHP Limit Login Attempts

akacj

Hi,

I have a user registration system on my website and I would like to limit the login attempts. If someone inputs the wrong username/password three times, then it will block their IP address for a certain amount of time. I want to use a database with this.

I don't have the slightest knowledge how to do this, so if someone could elaborate for me.(Like in steps)

Thanks in Advance. 🙂

Below is the Login.php file

<?php session_start(); $ref = $_SERVER['HTTP_REFERER'];

if(isset($_SESSION['username'])) {

include('header.php');
echo '<div class="error_message">Attention! You are already logged in.</div>';
echo "<h2>What to do now?</h2><br />";
echo "Go <a href='javascript:history.go(-1)'>back</a> to the page you were viewing before this.</li>";
include('footer.php');

exit();
}

// Has an error message been passed to login.php?
$error = $_GET['e'];

if($error == 1) {
    $error = '<div class="error_message">Attention! You must be logged in to view this page.</div>';
}

// Only process if the login form has been submitted.

if(isset($_POST['login'])) {

$username = $_POST['username']; 
$password = $_POST['password']; 

if (!isset($username) || !isset($password)) { 
	header( "Location: home.php" ); exit();
} elseif (empty($username) || empty($password)) { 
	$error = '<div class="error_message">Attention! Please enter your Username and Password.</div>';
} else { 

// Add slashes to the username and md5() the password 
$user = mysql_real_escape_string(addslashes($_POST['username'])); 
$pass = mysql_real_escape_string(md5($_POST['password'])); 


$sql = "SELECT * FROM login_users WHERE username='$user' AND password='$pass'"; 
$result = mysql_query($sql);

// Check that at least one row was returned 
$rowCheck = mysql_num_rows($result); 

if($rowCheck > 0) { 
while($row = mysql_fetch_array($result)) { 

  // Start the session and register a variable 

  session_start(); 
  $_SESSION['username'] = $user;
  //session_register('username'); 

  header("Location: ".$ref); exit();

  } 

  } else { 

  // If nothing is returned by the query, unsuccessful login code goes here... 

  $error = '<div class="error_message">Attention! Incorrect username or password.</div>'; 
  } 
}
}

if(stristr($_SERVER['PHP_SELF'], 'admin')) { include('../header.php'); } else { include('header.php'); }

echo $error; ?>

<h2>Login</h2>

<form method="POST" action=""> 
<label>Username</label><input type="text" name="username" size="20"> 
<br />
<label>Password</label><input type="password" name="password" size="20"> 
<br />
<input type="submit" value="Submit" name="login"> 
</form> 

<p><a href="forgotten.php">Forgotten Password?</a></p>

<p>Not registered yet? It's free, quick &amp; easy to do so <a href="sign_up.php">here</a></p>

<?php if(stristr($_SERVER['PHP_SELF'], 'admin')) { include('../footer.php'); } else { include('footer.php'); } ?>

ixalmida

Pre-login:

// Increment login count...
mysql_query("UPDATE Users SET login_count = login_count + 1 WHERE username = 'some user'");

// Fetch login count...
$result = mysql_query("SELECT login_count WHERE username = 'some user'");
$login_count = mysql_result($result, 0);

// Check login count...
if($login_count >= 5)
{
  // Sleep, die, redirect, or whatever here...
}

Post-login:

// Reset login count...
mysql_query("UPDATE Users SET login_count = 0 WHERE username = 'some user'");

bradgrafelman

Note that ixalmedia's solution can easily lead to a denial of service attack. For example, all I have to do is design a PHP script that pings your login script three times per username, supply it with a list of usernames, and I can instantly lock out many users from legitimately logging in.

akacj

I'm still not sure how to do it....

ixalmida

Note that ixalmedia's solution can easily lead to a denial of service attack.

Really Brad...?

Firstly, I didn't even suggest a user lockout. You'll clearly note the word "Sleep" as the first word in my comment section.

Secondly, how would an attacker get a list of user names? Do you sell user lists? I certainly don't. My company won't even put together a company-wide phone directory because they don't like having all the employee names published in one place.

You might notice that I only reply to posts that nobody has deigned to answer for at least a day or two. So instead of taking issue with me personally, why don't you just make a better, more timely suggestion if you have one?

bradgrafelman

ixalmida wrote:
Firstly, I didn't even suggest a user lockout. You'll clearly note the word "Sleep" as the first word in my comment section.

I had assumed that was the general idea for that section in your code. However, re-reading the OP's first post, I see now that they wanted to block the specific IP address.

Still, if someone else were to guess passwords wrong two times, then a legitimate user comes along and accidentally fat-fingers a key once, your code above would then consider this the third attempt and then lock-out the legitimate user.

ixalmida wrote:
Secondly, how would an attacker get a list of user names?

Since I don't know what this login system leads to, I can't answer that. Take PHPBuilder's login system for example. How would an attacker get a list of usernames? Simply by clicking on the "Members List" link.

ixalmida wrote:
So instead of taking issue with me personally

Don't know why you're being so abrasive; I don't have any issue with you personally.

ixalmida wrote:
why don't you just make a better, more timely suggestion if you have one?

Sure!

@: One way to do this would be with the user of either cookies or sessions. Before allowing them to even attempt to login, see if their IP address is in your "banned" table in the DB and if the timestamp field is within the range you specify (e.g. within the past 3 hours - whatever you'd like). If it isn't, then simply display the login form as normal.

Then, for every invalid login attempt, increment some counter variable (in the cookie or session from above). Then, before allowing them to login again, check if that counter variable is more than 2. If it is, add their IP to the database (with the current time) and deny any further login attempts.

Note that blocking via IP address has the following disadvantages/weaknesses:

Workstations at many schools/business/corporations/etc. all sit behind a common proxy/gateway, meaning that they share a very limited (perhaps even one) external IP addresses. In other words, if you lock-out one user, you could be blocking an entire building.
A new IP address is quite easy to get for free; there are numerous open proxies, free VPNs, etc. etc. out there.
I don't know if this still applies, but AOL had a number of proxy servers, and each request made by a single AOL user could have been serviced through any of those servers. In other words, it was very common in the past to see an AOL user's IP address to change many times from one request to another.