View Full Version : Cookie question & authentication

01-22-2004, 10:47 PM
For my web site, I've got my authentication system set up, complete with password protection (via MySQL queries to a password table) and a session counter that tracks your login attempts (limited to 3, of course). After that, I send the user a cookie, that makes them wait -xx- minutes before they can try their login again. The program checks for the cookie, and if it sees the cookie, it aborts the login.

Pretty standard stuff, I know.

Now, what if the smart *** just deletes the cookie? True, most casual users wouldn't have a clue here. But that's why I am asking you guys. If he deletes the cookie he can immediately trying loging in again, for 3 more attempts. He has defeated the time out period by deleting the cookie.

Is there a better way to do this?

Thanks in advance.

01-23-2004, 12:32 AM
you could register the IP as well and keep a list of banned IP's and check both if he has a cookie set or if his IP is on the list.

I combine this with some checks to verify that he/she either accepts cookies or has a 'stable' IP (an IP that stays at least the same as long as he is connected to the web). If neither are true, they don't even get to the loginprocessing.

Absoluely not bulletproof, but realy secure systems require hat the user has some required soft or hardware on his client where you can identify him by, before you show/process the loginform.