From: Juan Rodriguez Monti
> I would like to know what do you suggest to implement a limit for
> failed login attempts.
> I thought that might be a good idea, to define a session variable
> called ( failedattempts ), then check and if $failedattempts is
> greater than, suppose, 4 write to a Database ( ip, username and
> last-time-attempt ). If ater that, the user/bot tries again to login
> unsuccessfully, then the system should ban that user & ip combination.
We have two columns in the user table, login_attempts and u_touch. The
first is an integer, the second is a time stamp. The second is updated
to now every time the user requests a page. Each time a login attempt
fails, the first column is incremented. If the first column exceeds 3
when a new attempt is made, the previous time in the second must be more
than 30 minutes old. The first column is reset to 0 on a successful
login, or 1 on an unsuccessful attempt more than 30 minutes after the
The error message is the same for all login failures, no matter what the
While logged in, if a page is requested with the value of u_touch more
than ten minutes old, the user is automatically logged out.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php