On 9 August 2010 14:04, Juan Rodriguez Monti <j...@rodriguezmonti.com.ar> wrote:
> 2010/8/9 Richard Quadling <rquadl...@gmail.com>:
>> On 9 August 2010 13:30, Juan Rodriguez Monti <j...@rodriguezmonti.com.ar> 
>> wrote:
>>> I thought that might be a good idea, to define a session variable
>>> called ( failedattempts ), then check and if $failedattempts is
>>> greater than, suppose, 4 ...
>> As sessions are connected to a request through a session cookie,
>> putting the failed attempts in the session for checking later is a bad
>> idea. A script attempting to crack your security will most likely NOT
>> be using cookies. So each request, all the many millions of them, will
>> seem to be clean/virgin requests, not multiple attempts. Each request
>> will create a blank new session with 0 previous attempts.
> Good point. Thanks.
> So, what should I use instead of sessions to check this ?.
> Juan

You could suspend the account after 3 bad logins. Nice and simple. A
"FailedLoginsSinceLastLogin" counter against the account in the DB
should be enough. If that exceeds your limit, then they can't login.
They will have to re-authenticate in some other way. When that is
successful, then the value can be cleared.

Bob's way looks good.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to