...

View Full Version : Preventing Login Attacks



wldrumstcs
10-13-2009, 08:35 PM
I am just going to re-write this post. What is the best way to prevent a user from trying to login many times. Keeping track of it in a database seems to be the best way to do that, but I have no idea which information I should be storing in the database to keep track of the number of login attempts by a user. Should I try keeping track of ip addresses that attempt login attacks ie more than 5 attempts in a short period of time? Obviously the problem with that one is that a smart user could use multiple IP addresses to attack from.

What are your ideas?

Thanks.

CFMaBiSmAd
10-13-2009, 08:56 PM
Since that is pseudo code, it will be a little hard to help you debug what is wrong with your actual code.

However, you cannot store the failed attempt count or the information about the 60 delay using session variables because all someone would need to do is drop the current session id, then attempt to log in again and they will get a fresh set of attempts. You must store the failed attempt count and any information about the delay time in a database table.

wldrumstcs
10-13-2009, 09:08 PM
I could do that. What kind of information should I be storing? I know that a very determine user could get around just about anything, but what info ie IP addresses etc would be useful for keeping track of a user's attempts? After a successful login, would I just wipe out their entries in my "repeated login" DB?

Thanks!

CFMaBiSmAd
10-13-2009, 09:23 PM
What kind of information should I be storing?The same thing you are using session variables to store now, the failed count and when the account is locked out, the date/time of the lockout.

You simply add columns for these to the user table. At the point of doing a failed attempt count and timed account lockout, all you really care about is what someone is doing per username. If they attempt using multiple IP addresses, that does not matter. If they exceed the maximum failed attempt count for any username, it does not matter if each one came from a different ip address.

If the correct username/password is entered, that should reset the failed attempt count and allow login (the real user either remembered his real information or someone else locked his account out and the real user logged in.)

wldrumstcs
10-13-2009, 09:50 PM
The big issue I see with that approach is say my DB gets compromised -the attacker could repeatedly try to login on all the usernames, locking all of them out. I realize no way is 100% fool-proof, but there has to be a better way.

oracleguy
10-13-2009, 10:02 PM
The big issue I see with that approach is say my DB gets compromised -the attacker could repeatedly try to login on all the usernames, locking all of them out. I realize no way is 100% fool-proof, but there has to be a better way.

If that happens, does it really matter? They would have all the data stored on the site so they might not even need to login. If they wanted to and had write access, they could just change someone's password on the site and login.

wldrumstcs
10-13-2009, 10:07 PM
Touche.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum