PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hi there,
I have seen many site blocking the user after they try to login more than three times for certain time. Is it possible through scripting?I'm wondering how can I do that.
Waiting for the resonse
Thanking you
Dibyendra
.. add their IP, attempt-count and last-seen time to a file or table and table and don't allow it if the count is too high and last-seen is too close...
would IP be good enough to do a check against? Most IP's are dynamically assigned these days, so a user could try 3 times. Disconnect, get new IP and try 3 more times!?
you can set a cookie but it really provides no security as cookies are easy to delete and fake..
People being able to change their IP is usually no risk, as it usually takes them several seconds to do so, so the "Attack" will be very slow. For thos that do own their own B-Block of IP's (very Unusual unless u're an ISP) and can change rapidly, the attack is still limited to 32 thousand attempts, and that should not be enough to automate password-guessing if the passwords are screened for dictionary words and names and such..
I was going to post a new topic on this but I saw the topic, so I might as well save some space and throw in the question here.
Say you block and IP from a person using a dail up connection. In theory, you would redirect the person with that IP to somewhere else, right? Well, what if the user disconnected and reconnected, he or she gets a new IP and is able to get into the site again. That's obvious, but it's not my main question.
If another user had the same IP that was blocked and tries to get into the site, he or she would be redirected to elsewhere, right?
I heard most people are still on a 56k dail up connection.
[quote=Nay]
If another user had the same IP that was blocked and tries to get into the site, he or she would be redirected to elsewhere, right?
[/quote]
Right. Workarounds...
Stoker mentioned cookies, and I agree fully. It's probably the thing that is worth most attention regarding this, though you cant expect it to be foolproof safe.
I also agree with him about the issue with users changing ip's. It takes to long time. If you are really getting hammered with brute force attempts combined with proxy-sources, you should consider hardware solutions (big $ tho).
The first reply in this thread sounds like a solution worth coding more on.
nay: i'm sure it's lower in the total world.. in the us, about a year ago i saw then current stats: 80% still on dial up.
from what i can tell, that number can't have dropped below 50%. i say this because it took the cable company 3 years to get cable access here.. they only made it available becasue rcn came in thanx to the end of the monopolizatoin and said they'd offer it by the end of their first year and started building.