---
We built something like this into our default admin template that we base
all of our client's admin / content management section off of. I decided
that I did not want to lock the user out after 3 attempts and then force
them to call us. So, I added an extra session var that tracks how many bad
login attempts there have been for that user in the last 10 mins. If they
try to log in a forth time they get a message to the effect of "Too many
failed log in attempts, please try again in 10 mins." After 10 mins they
can try three more times.
Mark W. Breneman
-Cold Fusion Developer
-Network Administrator
Vivid Media
[EMAIL PROTECTED]
www.vividmedia.com
608.270.9770
_____
From: G [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 15, 2004 8:53 AM
To: CF-Talk
Subject: Re: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166661
---
This is a bit of a tangent to this topic, but I'm curious whether I'm the
only person out there who gets annoyed by systems that employ this
technique. The system we built at my old dot.com company employed this
technique, and it drove our clients crazy (which in turn drove us developers
crazy).
The idea, I assume, is that if someone is unsuccessful logging in three
times in a row, they must not be a valid user. Its my experience that the
VAST majority of the time, the person getting locked out is a valid user who
made an innocent mistake trying to login. The 3 strikes and your out schema
seems to be a bit outdated, and causes more harm (annoyance) than good.
Just curious what you all thought about this.
Brian
From: Steve Nelson
To: CF-Talk
Sent: Tuesday, June 15, 2004 8:41 AM
Subject: RE: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166657
---
Cookies are definitely not the only solution.
This would make an interesting CF contest. Who ran that CF contest a
couple
months ago?
Steve Nelson
_____
From: Pascal Peters [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 15, 2004 3:24 AM
To: CF-Talk
Subject: RE: locking user out after 3 incorrect attempts to log in
Archive: http://www.houseoffusion.com/lists.cfm/link=i:4:166613
---
I see you are using session vars, so I would recommend
session.times_logged_on.
But that aside, you have to realize that there is no way of really
blocking more than x attempts to log in on a web app. All methods you
can come up with will rely on cookies to track that and the user can
manipulate those on his machine. If some site tells me I had too many
attempts, I just delete the cookies for that site and happily continue
logging in.
Pascal
> -----Original Message-----
> From: Doug James [mailto:[EMAIL PROTECTED]
> Sent: maandag 14 juni 2004 21:36
> To: CF-Talk
> Subject: Re: locking user out after 3 incorrect attempts to log in
>
> Christy, Welcome to the wonderful world of CF, speaking for
> everyone on the list we hope you enjoy it and will stay and
> even recruit some friends.
>
> Regarding you problem, check out
> http://www.teratech.com/coldcuts/cutdetail.cfm?cutid=291
>
> Doug
>
> Christy wrote:
_____
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
