Originally Posted by iota
But it can be cracked brutally if you don't use session expire after x tries.
i've never heard of a bruteforce setup where the bruteforcer is interested in keeping the session alive...
he'll just start a new session for each trial.
i've you wan't to add bruteforce-measures, then i think these are the most obvious options:
- record the IP and only allow 3 logins for an IP with a 1 hour period --> but this requires storing the IP's in a db or file so that kinda defeats this 'no db required' script + the IP can be spoofed
- add this little line
right before comparing the posted and stored password and username
this will slow down the bruteforce so mucht that it becomes virtually impossible to make enough trials if you change the password every month or so. Downside is that valid logins also will take between 5 and 10 seconds.
- add a CAPTCHA to block out all automatic logins.