Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to lock an account 4 tries to log in ??

    in my website , user login with username and password .. what i need to do is ,
    if the user types wrong password for 4 times and he fails , account should be locked , after 4 tries only administrator should be able to log in . then tat user will be able to log in only after administrator changes his password ..
    how can i implement this??

  • #2
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,286
    Thanks
    12
    Thanked 343 Times in 339 Posts
    that depends on how you save the user credentials. for instance, if you have the credentials in a database, you can add a field counting the unsuccessful login trials. if the number is 4, then deny any access attempts (even if the password is correct).
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #3
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i am keeping a dateabase of all users ...
    How can i count the login attempts??

  • #4
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,286
    Thanks
    12
    Thanked 343 Times in 339 Posts
    every time the user tries to log-in, increment the value of the failed-attempts-field if the password doesn’t match*.

    * - I’d use a Stored Procedure for that, but that may be too advanced yet.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #5
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,011
    Thanks
    203
    Thanked 2,538 Times in 2,516 Posts
    Quote Originally Posted by Dormilich View Post
    every time the user tries to log-in, increment the value of the failed-attempts-field if the password doesn’t match*.

    * - I’d use a Stored Procedure for that, but that may be too advanced yet.
    Presumably the value is set back to 0 after so many minutes/hours.

  • #6
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks
    what i have tried is .......

    PHP Code:
    $result=mysql_query("SELECT * FROM "USERS" where email='".($_POST['email'])."'");


    if(
    $a=mysql_fetch_array($result))
    {

       if(
    $a["email"]==$email)
        {

          if(
    $a["password"]==$password)
          {
                
    header("location:after_login.php");
               }
              else
           {
            
                if (
    $_SESSION['attempts']>3)
                   {
                    echo 
    "Account locked";
                   }
            
               }

            }
     

           } 
    if a user fails to log in for the 4th time , it will display "account locked" . but sessions goes on incrementing even after i close the browser and open it again and try to log in with the same user..

    i want to reset the session to 0 when its value reaches 3..
    hope u can help me now.
    any help will be appreciated..

  • #7
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,286
    Thanks
    12
    Thanked 343 Times in 339 Posts
    not very logic, but that’s how I understood you.
    PHP Code:
    if ($_SESSION['attempts']>3)
                   {
                    echo 
    "Account locked";
                    
    $_SESSION['attempts'] = 0;
                   } 
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #8
    New Coder
    Join Date
    Aug 2003
    Location
    Derby, UK
    Posts
    97
    Thanks
    0
    Thanked 14 Times in 14 Posts
    Keeping the "lock-out" in session means it is not really a lock-out at all. This is presumably a security feature to prevent brute force attacks so it needs to be server side not dependent on session cookie supplied by the suspect client.

    As someone suggested you need to add a column in your users table called e.g. failed_logins then change your code to something like (untested):

    PHP Code:
    $result=mysql_query("SELECT * FROM `USERS` where email='".($_POST['email'])."'"); 
    if(
    $a=mysql_fetch_array($result)) {
        if(
    $a["failed_logins"] >= 3) {
            echo(
    'Sorry your account has been locked out, please contact the administrator');
        } else {
            if((
    $a["email"]==$email) and ($a["password"]==$password)) {
                if(
    $a["failed_logins"]) {
                    
    mysql_query("UPDATE `USERS` SET failed_logins = 0 WHERE email='".($_POST['email'])."'");
                } 
                
    header("location:after_login.php"); 
            } else { 
                
    mysql_query("UPDATE `USERS` SET failed_logins = failed_logins + 1 WHERE email='".($_POST['email'])."'");
            }
        } 

    This will add one to failed logins each time they provide wrong details, lock them out after 3 bad attempts and clear the failed logins count if they successfully lg in.

    HTH,

    Dai

  • #9
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    Quote Originally Posted by renu-86 View Post
    PHP Code:
    $result=mysql_query("SELECT * FROM `USERS` where email='".($_POST['email'])."'"); 
    (in the quote I have replaced "USERS" with `USERS`)

    Please also notice that using $_POST['email'] like this directly in your query is very not secure. An SQL injection attack against your site would be possible. Please apply mysql_real_escape_string() to $_POST['email'] as well as to any string values you get from $_GET, $_POST, $_COOKIE etc. before using it in the queries. Numeric values could be cast to the corresponding type explicitly using intval() for integers and floatval() for floating point values.

    Using any potential user input in queries directly without escaping/validation is very dangerous.

  • #10
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Lightbulb

    You could set a session variable, and each time the user's login is unsuccessful, add 1 to the session variable.

    For example:

    Code:
    <?php
    session_start(); // Remember to call this!
    $_SESSION['attempts'] = 0;
    
    if(login is successful) {
      # do stuff here
    } else {
       # do stuff here! 
       # (error message, redirect, etc)
       $_SESSION['attempts'] += 1;
    }
    
    if($_SESSION['attempts') >= 4) exit('Too many failed login attempts.');

  • #11
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    Quote Originally Posted by johnnnn View Post
    You could set a session variable, and each time the user's login is unsuccessful, add 1 to the session variable.

    For example:

    Code:
    <?php
    session_start(); // Remember to call this!
    $_SESSION['attempts'] = 0;
    
    if(login is successful) {
      # do stuff here
    } else {
       # do stuff here! 
       # (error message, redirect, etc)
       $_SESSION['attempts'] += 1;
    }
    
    if($_SESSION['attempts') >= 4) exit('Too many failed login attempts.');
    Since sessions are suggested again, I think I've better say this ... Just to make sure danger of using sessions for this task is understood properly by any possible readers who could read this thread.

    Using a session variable for this would provide almost no protection against an attacker. Please see the post by DaiWelsh (post #8). He is absolutely right.

    A user could simply close his browser. And then open it again - at the default session behavior he would have a different session. So he could start trying again.

    And a potential attacker would not use a browser for a brute force attack at all. He would emulate the browser. And simply not send the session cookie HTTP header having new session on each request. In this case the attempts counter would never raise bigger than 1.

    You would need to use the DB for this task I am afraid. As it has been already explained by DaiWelsh and mentioned by Dormilich before him.
    Last edited by SKDevelopment; 02-18-2010 at 08:19 AM.

  • #12
    Regular Coder
    Join Date
    Sep 2006
    Location
    Vermont, USA
    Posts
    154
    Thanks
    0
    Thanked 6 Times in 6 Posts
    The only real solution is to do it IP based in some sort of table separate from the users table for brute force on an unknown account and to also use a users table solution for brute force password attacks on a known account.

    Log the IP and number of attempts in a db table, date it, and consider it valid for 10 minutes.
    Active PHP/MySQL application developer available for immediate work.
    syosoft.com mavieo.com - Remote Web Site Administration Suite - Reseller Ready

  • #13
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    You could use an IP-based method as an additional method of checking only I think. IP's are not completely reliable. E.g. AOL users could have different IP on each page request.

  • #14
    Regular Coder
    Join Date
    Sep 2006
    Location
    Vermont, USA
    Posts
    154
    Thanks
    0
    Thanked 6 Times in 6 Posts
    That is completely true. I'm curious what solution you'd suggest for a bot attack? or simply someone with cookies turned off. Proxys are a concern, but an IP (checking for x referer) should be implemented as it should catch a fair amount of potentials.

  • #15
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    As far as I have understood the OP, he was going to block people if for some login a password was entered incorrectly for 4 times. A solution for such a problem would most probably use a database. Such things are often done when security matters really much. Of course a solution of this kind could have the following disadvantage: if someone knows someone else's login (or could make a guess on it), he could simply enter it for 4 times with absolutely any password just to block the first guy. Still I see such an approach used at some systems where security is really important.

    If security is not that important then yes, you are absolutely right. I also use blocking by IP just to lessen the number of attempts to some reasonable number. I also usually check the IP the user had before a proxy server ($_SERVER["HTTP_X_FORWARDED_FOR"]) if it is set (together with $_SERVER['REMOTE_ADDR'] because $_SERVER["HTTP_X_FORWARDED_FOR"] is formed by an HTTP header and could not be really reliable). Yes, it does not give 100% protection against such attacks for sure, but as you absolutely correctly said in your post, catches a fair amount of potentials.

    I only wanted to underline the idea for the OP that blocking by IP could be not absolutely reliable. This is why I have replied. As you have said absolutely correctly, it would cut a fair amount, not all. This is why it is good (really good) but if security is very important, I would use this as an additional check only.

    As to the bots, I use CAPTCHA where I really do not need bot attacks. I had an experience when even the simplest CAPTCHA containing only digits and no distortion stopped bots immediately. One of the clients told me that he started to get 1-2 letters from people a day from his on-line contact form (instead of several hundreds a day) after a simple CAPTCHA has been added to the form.

    A good CAPTCHA would not be session-dependent from my point of view. And would use a database. A worse but a little bit simpler solution could be based on sessions and would not use database at all. Of course both solutions would require the GD library availability. I usually also add some distortions like dots and lines to the images.

    Also I am trying to make any security checks not too fast. Sometimes I intentionally set a 1-2 seconds delay with sleep() only to make the login/password check a little bit slower. From what I know about protection, a better protection is a slow protection.

    Honestly speaking, I also tried to experiment with different methods of forms protection. But this is all which I am using currently.

    Other things about security are general and well known. Also I think you know all this without me ... I never store passwords, only hashes made with sha1() (not really reliable but at least better than md5). I use salt to make it difficult to use rainbow tables attacks. I use session_regenerate_id() after logging in etc. But all this is a little bit an off-topic here probably so I am mentioning this only.

    Still I think I have not said anything you have not known already Syosoft. If this is the case (and I think it is) then I am sorry for the not informative post.
    Last edited by SKDevelopment; 02-21-2010 at 01:07 PM.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •