Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New Coder
    Join Date
    Jul 2002
    Location
    Florida
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Cookie question & authentication

    For my web site, I've got my authentication system set up, complete with password protection (via MySQL queries to a password table) and a session counter that tracks your login attempts (limited to 3, of course). After that, I send the user a cookie, that makes them wait -xx- minutes before they can try their login again. The program checks for the cookie, and if it sees the cookie, it aborts the login.

    Pretty standard stuff, I know.

    Now, what if the smart *** just deletes the cookie? True, most casual users wouldn't have a clue here. But that's why I am asking you guys. If he deletes the cookie he can immediately trying loging in again, for 3 more attempts. He has defeated the time out period by deleting the cookie.

    Is there a better way to do this?

    Thanks in advance.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    you could register the IP as well and keep a list of banned IP's and check both if he has a cookie set or if his IP is on the list.

    I combine this with some checks to verify that he/she either accepts cookies or has a 'stable' IP (an IP that stays at least the same as long as he is connected to the web). If neither are true, they don't even get to the loginprocessing.

    Absoluely not bulletproof, but realy secure systems require hat the user has some required soft or hardware on his client where you can identify him by, before you show/process the loginform.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •