...

View Full Version : How to lock an account 4 tries to log in ??



renu-86
02-16-2010, 08:16 AM
in my website , user login with username and password .. what i need to do is ,
if the user types wrong password for 4 times and he fails , account should be locked , after 4 tries only administrator should be able to log in . then tat user will be able to log in only after administrator changes his password ..
how can i implement this??

Dormilich
02-16-2010, 08:56 AM
that depends on how you save the user credentials. for instance, if you have the credentials in a database, you can add a field counting the unsuccessful login trials. if the number is 4, then deny any access attempts (even if the password is correct).

renu-86
02-16-2010, 10:32 AM
i am keeping a dateabase of all users ...
How can i count the login attempts??

Dormilich
02-16-2010, 12:14 PM
every time the user tries to log-in, increment the value of the failed-attempts-field if the password doesn’t match*.

* - I’d use a Stored Procedure for that, but that may be too advanced yet.

Philip M
02-16-2010, 12:33 PM
every time the user tries to log-in, increment the value of the failed-attempts-field if the password doesn’t match*.

* - I’d use a Stored Procedure for that, but that may be too advanced yet.

Presumably the value is set back to 0 after so many minutes/hours.

renu-86
02-17-2010, 10:09 AM
Thanks
what i have tried is .......


$result=mysql_query("SELECT * FROM "USERS" where email='".($_POST['email'])."'");


if($a=mysql_fetch_array($result))
{

if($a["email"]==$email)
{

if($a["password"]==$password)
{
header("location:after_login.php");
}
else
{

if ($_SESSION['attempts']>3)
{
echo "Account locked";
}

}

}


}

if a user fails to log in for the 4th time , it will display "account locked" . but sessions goes on incrementing even after i close the browser and open it again and try to log in with the same user..

i want to reset the session to 0 when its value reaches 3..
hope u can help me now.
any help will be appreciated..

Dormilich
02-17-2010, 10:18 AM
not very logic, but that’s how I understood you.

if ($_SESSION['attempts']>3)
{
echo "Account locked";
$_SESSION['attempts'] = 0;
}

DaiWelsh
02-17-2010, 10:57 AM
Keeping the "lock-out" in session means it is not really a lock-out at all. This is presumably a security feature to prevent brute force attacks so it needs to be server side not dependent on session cookie supplied by the suspect client.

As someone suggested you need to add a column in your users table called e.g. failed_logins then change your code to something like (untested):



$result=mysql_query("SELECT * FROM `USERS` where email='".($_POST['email'])."'");
if($a=mysql_fetch_array($result)) {
if($a["failed_logins"] >= 3) {
echo('Sorry your account has been locked out, please contact the administrator');
} else {
if(($a["email"]==$email) and ($a["password"]==$password)) {
if($a["failed_logins"]) {
mysql_query("UPDATE `USERS` SET failed_logins = 0 WHERE email='".($_POST['email'])."'");
}
header("location:after_login.php");
} else {
mysql_query("UPDATE `USERS` SET failed_logins = failed_logins + 1 WHERE email='".($_POST['email'])."'");
}
}
}


This will add one to failed logins each time they provide wrong details, lock them out after 3 bad attempts and clear the failed logins count if they successfully lg in.

HTH,

Dai

SKDevelopment
02-17-2010, 11:11 AM
$result=mysql_query("SELECT * FROM `USERS` where email='".($_POST['email'])."'");
(in the quote I have replaced "USERS" with `USERS`)

Please also notice that using $_POST['email'] like this directly in your query is very not secure. An SQL injection attack against your site would be possible. Please apply mysql_real_escape_string() (http://us.php.net/mysql_real_escape_string) to $_POST['email'] as well as to any string values you get from $_GET, $_POST, $_COOKIE etc. before using it in the queries. Numeric values could be cast to the corresponding type explicitly using intval() (http://us.php.net/intval) for integers and floatval() (http://us.php.net/floatval) for floating point values.

Using any potential user input in queries directly without escaping/validation is very dangerous.

johnnnn
02-18-2010, 01:55 AM
You could set a session variable, and each time the user's login is unsuccessful, add 1 to the session variable.

For example:



<?php
session_start(); // Remember to call this!
$_SESSION['attempts'] = 0;

if(login is successful) {
# do stuff here
} else {
# do stuff here!
# (error message, redirect, etc)
$_SESSION['attempts'] += 1;
}

if($_SESSION['attempts') >= 4) exit('Too many failed login attempts.');

SKDevelopment
02-18-2010, 08:17 AM
You could set a session variable, and each time the user's login is unsuccessful, add 1 to the session variable.

For example:



<?php
session_start(); // Remember to call this!
$_SESSION['attempts'] = 0;

if(login is successful) {
# do stuff here
} else {
# do stuff here!
# (error message, redirect, etc)
$_SESSION['attempts'] += 1;
}

if($_SESSION['attempts') >= 4) exit('Too many failed login attempts.');


Since sessions are suggested again, I think I've better say this ... Just to make sure danger of using sessions for this task is understood properly by any possible readers who could read this thread.

Using a session variable for this would provide almost no protection against an attacker. Please see the post by DaiWelsh (post #8). He is absolutely right.

A user could simply close his browser. And then open it again - at the default session behavior he would have a different session. So he could start trying again.

And a potential attacker would not use a browser for a brute force attack at all. He would emulate the browser. And simply not send the session cookie HTTP header having new session on each request. In this case the attempts counter would never raise bigger than 1.

You would need to use the DB for this task I am afraid. As it has been already explained by DaiWelsh and mentioned by Dormilich before him.

syosoft
02-20-2010, 03:21 PM
The only real solution is to do it IP based in some sort of table separate from the users table for brute force on an unknown account and to also use a users table solution for brute force password attacks on a known account.

Log the IP and number of attempts in a db table, date it, and consider it valid for 10 minutes.

SKDevelopment
02-20-2010, 03:41 PM
You could use an IP-based method as an additional method of checking only I think. IP's are not completely reliable. E.g. AOL users could have different IP on each page request.

syosoft
02-20-2010, 07:59 PM
That is completely true. I'm curious what solution you'd suggest for a bot attack? or simply someone with cookies turned off. Proxys are a concern, but an IP (checking for x referer) should be implemented as it should catch a fair amount of potentials.

SKDevelopment
02-21-2010, 12:27 PM
As far as I have understood the OP, he was going to block people if for some login a password was entered incorrectly for 4 times. A solution for such a problem would most probably use a database. Such things are often done when security matters really much. Of course a solution of this kind could have the following disadvantage: if someone knows someone else's login (or could make a guess on it), he could simply enter it for 4 times with absolutely any password just to block the first guy. Still I see such an approach used at some systems where security is really important.

If security is not that important then yes, you are absolutely right. I also use blocking by IP just to lessen the number of attempts to some reasonable number. I also usually check the IP the user had before a proxy server ($_SERVER["HTTP_X_FORWARDED_FOR"]) if it is set (together with $_SERVER['REMOTE_ADDR'] because $_SERVER["HTTP_X_FORWARDED_FOR"] is formed by an HTTP header and could not be really reliable). Yes, it does not give 100% protection against such attacks for sure, but as you absolutely correctly said in your post, catches a fair amount of potentials.

I only wanted to underline the idea for the OP that blocking by IP could be not absolutely reliable. This is why I have replied. As you have said absolutely correctly, it would cut a fair amount, not all. This is why it is good (really good) but if security is very important, I would use this as an additional check only.

As to the bots, I use CAPTCHA where I really do not need bot attacks. I had an experience when even the simplest CAPTCHA containing only digits and no distortion stopped bots immediately. One of the clients told me that he started to get 1-2 letters from people a day from his on-line contact form (instead of several hundreds a day) after a simple CAPTCHA has been added to the form.

A good CAPTCHA would not be session-dependent from my point of view. And would use a database. A worse but a little bit simpler solution could be based on sessions and would not use database at all. Of course both solutions would require the GD library availability. I usually also add some distortions like dots and lines to the images.

Also I am trying to make any security checks not too fast. Sometimes I intentionally set a 1-2 seconds delay with sleep() only to make the login/password check a little bit slower. From what I know about protection, a better protection is a slow protection.

Honestly speaking, I also tried to experiment with different methods of forms protection. But this is all which I am using currently.

Other things about security are general and well known. Also I think you know all this without me ... I never store passwords, only hashes made with sha1() (not really reliable but at least better than md5). I use salt to make it difficult to use rainbow tables attacks. I use session_regenerate_id() after logging in etc. But all this is a little bit an off-topic here probably so I am mentioning this only.

Still I think I have not said anything you have not known already Syosoft. If this is the case (and I think it is) then I am sorry for the not informative post.

renu-86
02-23-2010, 05:44 AM
Thanks for the help ..
what i have tried is ..


$result=mysql_query("SELECT * FROM "USERS" where email='".($_POST['email'])."'");




if($a=mysql_fetch_array($result))
{
if($a["failed_login"] >= 3)
{

echo "Account locked";
}
else
{

if(($a["email"]==$email) and ($a["password"]==$password))
{

mysql_query("UPDATE ".TABLE_USERS." SET failed_login=0 WHERE email='".($_POST['email'])."'");


header("location:after_login.php");
}
else
{
echo "Invalid password";
mysql_query("UPDATE ".TABLE_USERS." SET failed_login = failed_login + 1 WHERE email='".($_POST['email'])."'");
}
}
}

its working fine , but the problem is..
when a user log in and tries to login 2 times unsuccesfully , value in the database will be 2 . if the user closes the browser and tries to open the browser after sometime and log in , user will be able to atempt only the remaining 2 times , value in database will become 4 by then.. how to solve this problem?? please help...

renu-86
02-23-2010, 01:01 PM
any help will be appreciated ..

sorry for the trouble.

Dormilich
02-23-2010, 02:32 PM
when a user log in and tries to login 2 times unsuccesfully , value in the database will be 2 . if the user closes the browser and tries to open the browser after sometime and log in , user will be able to atempt only the remaining 2 times , value in database will become 4 by then.. how to solve this problem?? please help...

what problem? do you want a time limit, after which you have 3 trials again?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum