On 9 August 2010 14:30, Juan Rodriguez Monti <j...@rodriguezmonti.com.ar> wrote:
> Hi guys,
> I would like to know what do you suggest to implement a limit for
> failed login attempts.

I use velocity control (or whatever it is called). After the first
failed attempt, set a ban-period before another login is possible for
the account - start at 1 second. After each consecutive fail, double
the period.

> I thought that might be a good idea, to define a session variable
> called ( failedattempts ), then check and if $failedattempts is
> greater than, suppose, 4 write to a Database ( ip, username and
> last-time-attempt ). If ater that, the user/bot tries again to login
> unsuccessfully, then the system should ban that user & ip combination.
> Some questions about this situation:
> - Do you think that is a good idea to use sleep() ?.

No. That won't achieve much except annoy legitimate users.

> - How should I send a 503 HTTP error to the user after 5 attempts ?

user header(). I would send a 403

> - Is this a good idea to do all this work for this security purpose ?

Making sure that noone can try bruteforcing an account is a good idea.
Just make sure you cannot use this security measure to lock out an

> - Do you know/suggest a better way to solve this?

Velocity control, as stated.


WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to