Hello,
I have a login PHP file, and it needs to blacklist someone after 3 attempts for 30 minutes.
I will send the script in het pastebin, if someone can edit it for me and also can say which tables I need to add in the database, then that will be nice.
I personally can’t stand sites like this and the only sites I really seen this is on online banking sites and other sites similar to those. I found a website (I can’t remember the website) that tests this type of site and I have attempted to make a website like this in the past only to have fail big time. Unless you are a big company the hackers out there can easily hack into these types of websites with no problem. They also give the average user a headache when they forget their password or are just having a bad typing in their password. Just my opinion.
your code will not work as you expected. please follow this processor.
Check Login Credentials > IF incorrect credentials > Update table.attemptCount+1 where username = ? and show error invalid password.
If table.attempCount less than or equal to 3 then error will show you are blocked try after 30m. else if username password correct > update table.attemptCount = 0 and login redirect.
Alt solution…
While not ‘great’… its MUCH faster… try to perhaps save the attempts in a users session?
I mean you are only blocking them for 30 minutes anyways before they can come back… so if they are smart enough to clear cache/session data…etc… they will come back before that.
Since the main point of doing this is to slow down bot scripts, which won’t likely propagate a session, using the session to record the state won’t do anything.
If someone/something triggers the attempts per time limit, just enable a captcha, for both the login attempts and any username/password recovery. This will further limit bot scripts, while allowing a legitimate user a way to continue. If a legitimate user fails to login after a reasonable number of attempts, they should make use a username/password recovery option, rather than to keep trying to log in.
Whatever you do, don’t allow a login attempt failure to kick out a legitimate, already logged in, user.
BTW - in your existing code, upon successfully logging in, the only user information you should store in the session is the user’s id, and it should be named something like user_id (there are many different things that have ids, so, naming the session value id, is a poor choice.) You would then query on each page request to get any other user information. This insures that any changes made to the user information, such as permissions, will take effect on the very next page request.