View Full Version : Limit wrong login then block for 10 minutes - How?

06-17-2010, 03:01 PM

I am needing some code, so that I can put a limit of the amount of wrong logins.
For example ather 3 login, they get block for 10 minutes.

I would like it to run via PHP/MySQL.

I already have a login script that is being used by the script I am using which is a PHP/MySQL script

06-17-2010, 04:31 PM
I am needing some code

This isn't a wishing well for code. If you just mis-phrased your meaning, though, here's what I"m doing in a current project.

You can add a few fields to your users table and test them with some additional logic on login attempts.

failed_login_count, int(11)
last_access, datetime
locked_out, tinyint(1)

And then add core values for the lockout duration (in your case, 10 minutes) and failed login max (3, in your example).

It shouldn't be too hard to work up pseudocode from that, and then to build that out into PHP.

06-18-2010, 04:31 PM
You can also add to the PHP code of yours and your DB a table for IP blocks. Then add a time limit for the IP in the table. When they reach 10 times, you block their IP till x time on the server. Real simple actually to block IPs, this would be better. You keep two records also, one record of login attemps in the user DB as tom said then you keep another login attempt record in the users session variable to compare against and block. That way you block the user from trying again and you also block the IP, in case they try another username. Now if they are leapfrogging then your stuck, but the user still gets blocked.

Instead of using a 10 min blocking in the DB, this would require a start time to calculate also stored in DB. What you need to store is not the limit of blocking, what you need to do is calculate 10 minutes from now() and then store that time to re-activate in the DB. Then when you read the user login you read it to say, if time is past stored time, allow, else deny.

Real simple and it's a double blocking mechanism.

06-18-2010, 06:12 PM
This is depending on how secure you want your site.
The best way to determine what you need to do is to log each attempt... each time a user logs in, track their email, username, ip address and if their password was right or not.
Check these links for more info about secure login:

Wide variety of captcha providers available for free. (http://woork.blogspot.com/2009/02/10-free-captcha-scripts-and-services.html)
PHP Secure Login Tips And Tricks (http://hungred.com/useful-information/php-secure-login-tips-and-tricks/)