From: Juan Rodriguez Monti

> I would like to know what do you suggest to implement a limit for
> failed login attempts.
> I thought that might be a good idea, to define a session variable
> called ( failedattempts ), then check and if $failedattempts is
> greater than, suppose, 4 write to a Database ( ip, username and
> last-time-attempt ). If ater that, the user/bot tries again to login
> unsuccessfully, then the system should ban that user & ip combination.

We have two columns in the user table, login_attempts and u_touch. The
first is an integer, the second is a time stamp. The second is updated
to now every time the user requests a page. Each time a login attempt
fails, the first column is incremented. If the first column exceeds 3
when a new attempt is made, the previous time in the second must be more
than 30 minutes old. The first column is reset to 0 on a successful
login, or 1 on an unsuccessful attempt more than 30 minutes after the
previous attempt.

The error message is the same for all login failures, no matter what the

While logged in, if a page is requested with the value of u_touch more
than ten minutes old, the user is automatically logged out.

Bob McConnell

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to