[PHP] Limit failed logins attempts
Hi guys, I would like to know what do you suggest to implement a limit for failed login attempts. I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 write to a Database ( ip, username and last-time-attempt ). If ater that, the user/bot tries again to login unsuccessfully, then the system should ban that user ip combination. Some questions about this situation: - Do you think that is a good idea to use sleep() ?. - How should I send a 503 HTTP error to the user after 5 attempts ? - Is this a good idea to do all this work for this security purpose ? - Do you know/suggest a better way to solve this? Thanks in advance, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Limit failed logins attempts
On 9 August 2010 14:30, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: Hi guys, I would like to know what do you suggest to implement a limit for failed login attempts. I use velocity control (or whatever it is called). After the first failed attempt, set a ban-period before another login is possible for the account - start at 1 second. After each consecutive fail, double the period. I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 write to a Database ( ip, username and last-time-attempt ). If ater that, the user/bot tries again to login unsuccessfully, then the system should ban that user ip combination. Some questions about this situation: - Do you think that is a good idea to use sleep() ?. No. That won't achieve much except annoy legitimate users. - How should I send a 503 HTTP error to the user after 5 attempts ? user header(). I would send a 403 - Is this a good idea to do all this work for this security purpose ? Making sure that noone can try bruteforcing an account is a good idea. Just make sure you cannot use this security measure to lock out an account. - Do you know/suggest a better way to solve this? Velocity control, as stated. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Limit failed logins attempts
On 9 August 2010 13:30, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 ... As sessions are connected to a request through a session cookie, putting the failed attempts in the session for checking later is a bad idea. A script attempting to crack your security will most likely NOT be using cookies. So each request, all the many millions of them, will seem to be clean/virgin requests, not multiple attempts. Each request will create a blank new session with 0 previous attempts. Richard. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Limit failed logins attempts
From: Juan Rodriguez Monti I would like to know what do you suggest to implement a limit for failed login attempts. I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 write to a Database ( ip, username and last-time-attempt ). If ater that, the user/bot tries again to login unsuccessfully, then the system should ban that user ip combination. We have two columns in the user table, login_attempts and u_touch. The first is an integer, the second is a time stamp. The second is updated to now every time the user requests a page. Each time a login attempt fails, the first column is incremented. If the first column exceeds 3 when a new attempt is made, the previous time in the second must be more than 30 minutes old. The first column is reset to 0 on a successful login, or 1 on an unsuccessful attempt more than 30 minutes after the previous attempt. The error message is the same for all login failures, no matter what the cause. While logged in, if a page is requested with the value of u_touch more than ten minutes old, the user is automatically logged out. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Limit failed logins attempts
On 9 August 2010 14:04, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: 2010/8/9 Richard Quadling rquadl...@gmail.com: On 9 August 2010 13:30, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 ... As sessions are connected to a request through a session cookie, putting the failed attempts in the session for checking later is a bad idea. A script attempting to crack your security will most likely NOT be using cookies. So each request, all the many millions of them, will seem to be clean/virgin requests, not multiple attempts. Each request will create a blank new session with 0 previous attempts. Good point. Thanks. So, what should I use instead of sessions to check this ?. Juan You could suspend the account after 3 bad logins. Nice and simple. A FailedLoginsSinceLastLogin counter against the account in the DB should be enough. If that exceeds your limit, then they can't login. They will have to re-authenticate in some other way. When that is successful, then the value can be cleared. Bob's way looks good. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Limit failed logins attempts
On 9 August 2010 15:10, Richard Quadling rquadl...@gmail.com wrote: On 9 August 2010 14:04, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: 2010/8/9 Richard Quadling rquadl...@gmail.com: On 9 August 2010 13:30, Juan Rodriguez Monti j...@rodriguezmonti.com.ar wrote: I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 ... As sessions are connected to a request through a session cookie, putting the failed attempts in the session for checking later is a bad idea. A script attempting to crack your security will most likely NOT be using cookies. So each request, all the many millions of them, will seem to be clean/virgin requests, not multiple attempts. Each request will create a blank new session with 0 previous attempts. Good point. Thanks. So, what should I use instead of sessions to check this ?. Juan You could suspend the account after 3 bad logins. Nice and simple. A FailedLoginsSinceLastLogin counter against the account in the DB should be enough. If that exceeds your limit, then they can't login. They will have to re-authenticate in some other way. When that is successful, then the value can be cleared. That allows locking out users at random by knowing the username - not a very good solution. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
