On 9 August 2010 15:10, Richard Quadling <rquadl...@gmail.com> wrote:
> On 9 August 2010 14:04, Juan Rodriguez Monti <j...@rodriguezmonti.com.ar> 
> wrote:
>> 2010/8/9 Richard Quadling <rquadl...@gmail.com>:
>>> On 9 August 2010 13:30, Juan Rodriguez Monti <j...@rodriguezmonti.com.ar> 
>>> wrote:
>>>> I thought that might be a good idea, to define a session variable
>>>> called ( failedattempts ), then check and if $failedattempts is
>>>> greater than, suppose, 4 ...
>>> As sessions are connected to a request through a session cookie,
>>> putting the failed attempts in the session for checking later is a bad
>>> idea. A script attempting to crack your security will most likely NOT
>>> be using cookies. So each request, all the many millions of them, will
>>> seem to be clean/virgin requests, not multiple attempts. Each request
>>> will create a blank new session with 0 previous attempts.
>> Good point. Thanks.
>> So, what should I use instead of sessions to check this ?.
>> Juan
> You could suspend the account after 3 bad logins. Nice and simple. A
> "FailedLoginsSinceLastLogin" counter against the account in the DB
> should be enough. If that exceeds your limit, then they can't login.
> They will have to re-authenticate in some other way. When that is
> successful, then the value can be cleared.

That allows locking out users at random by knowing the username - not
a very good solution.


WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to