Feature Requests item #3018011, was opened at 2010-06-18 14:30
Message generated for change (Tracker Item Submitted) made by badda
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Badda (badda)
Assigned to: Nobody/Anonymous (nobody)
Summary: Lock user after n failed attempts to log in.

Initial Comment:
Currently, passwords can be brute-forced by a remote attacker by trying to log 
in with guessed passwords until success.
This can easily be prevented by introducing a (configurable) limit to the 
failed login attempts. After that, the user cannot log in anymore and a 
phpshell-admin must unlock the user (e.g. by editing a value the 
This would be my idea of implementing:
- introduce new value in config.php [settings]-sectinf: max-login-attemps. Here 
the admin can specify the number of failed login-attemps after which the user 
is locked.
- A number is recorded and kept for each user that states the current amount of 
failed logins
- if this number is equal or larger than max-login-attemps the user cannot log 
in at all
- this number is increased by one after each failed login-attempt for this user
- this numer is set to zero after a successful login
- after a successful or failed login, the number of failed login-attempts will 
be shown to the user

This would new feature would greatly increase security of the script


You can respond by visiting: 

ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
phpshell-devel mailing list

Reply via email to