Hey everyone!

I'm using a PHP Password system made by Zubrag called 'Page Password Protect 2.13'

I am using the script as follows:

<?php
##################################################################
#  SETTINGS START
##################################################################

// Add login/password pairs below, like described above
// NOTE: all rows except last must have comma "," at the end of line
$LOGIN_INFORMATION = array(
  'passwordremovedforforum'
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', false);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://removedforforum/');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 60);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', false);

##################################################################
#  SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uploading your Worke</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="pragma" content="no-cache" />

<link href="../css/reset.css" rel="stylesheet" type="text/css" />
<link href="../css/style.css" rel="stylesheet" type="text/css" />
<link href="students.css" rel="stylesheet" type="text/css" />


<!-- Load jQuery -->
<script type="text/javascript" src="../js/jquery-1.3.2.min.js"></script>
<!-- End Load -->

</head>
<body>

<div id="container">

  <!-- Begin Header -->
  <?php include("../includes/header.php"); ?>
  <!-- End Header -->

  <!-- Begin Navigation --> 
  <script type="text/javascript" src="../js/navbar.js"></script>
  <?php include("../includes/navigation.php"); ?>
  <!-- End Navigation -->

  <div class="clear"></div>

  <!-- Begin Content -->
  <div id="content">
    <h2>Welcome!</h2>
    <div class="lock">Let's upload the latest Newsletter!<br />
    Before we can further, I will need you to enter the password.<br />
    <form method="post"><font color="red"><?php echo $error_msg; ?></font><br /> 
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" />&nbsp;&nbsp;&nbsp;<input type="submit" name="Submit" value="&nbsp; Submit &nbsp;" />
  </form></div>
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) 
  ) {
    showLoginPasswordProtect("Incorrect password. Please try again.<br />");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');

// Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
// So need to clear password protector variables
unset($_POST['access_login']);
unset($_POST['access_password']);
unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}

?>

How would I add a system in the code where after 3 attempts of the password, it would lock the user out and not allow anymore attempts for 10 minutes? This could be a redirect to a page using a cookie or something like that, I just have no idea how to add it in the code.

Any help would be lovely.

    if you are going to use cookies to store that, it won't be of much help, i suggest you create a table in database with the following fields:

    table: login_ips

    ID
    IP (the IP of the user trying to login)
    logins (contains the number of times this user failed to login)
    expires (when will this row expire and be deleted)
    what you can do is, each time a user fails to login you insert his Ip in this table and if he does it again then you update logins and add 1 to it.

    so when the user tries to login you select a row from this table where his ip matches and if the field logins is equar or more than let's say "3" show him a message that he exceeded his login attempts and that he should wait for "expires - time()" seconds to login again

    if you are going to use cookies for that, the user will simply clear his cookies and try to login as much as he wants, if you're not using a database you can store that in a file or an other way, but you don't want to store it on the user's machine cos he will have control over it.

      Write a Reply...