Password Attempts restriction

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nzmaori
Forum Newbie
Posts: 1
Joined: Sun Oct 17, 2004 10:09 pm

Password Attempts restriction

Post by nzmaori »

We are trying to put a restriction of 3 attempts on a password and login
but at the moment when we put code in it gives us 3 login fields.
but still not restricted access which is what we are trying to achieve
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

- Sessions
- Variable called "login_attempts" starts as 0, +1 everytime they attempt to login, if it's 3, don't process the login, and show an error instead.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

On a related note: look into using [php_man]sleep()[/php_man] to prevent scanning/cracking programs from doing their job easier.
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
hi,

what should sleep() be good for? If access is denied anyway after 3 attemps, sleep will have no use. Also the time being denied would be held in the authentication database anyway!?

djot
-
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

sleep() would be to slow down brute force attempts as the bot doing the work would have to wait a few seconds befor trying again.

Assume that the bot can make 10 requests at a time (and it takes 1 second to do). It can make 600 sttempts a minute, 36000 an hour etc. Now add a 5 second sleep to the script, so it can still make 10 requests a second, but now it takes 5 seconds, so now only 200 attempts can be made a minute - 12000 an hour - increasing the time needed by a considerable amount.

I would personally log each and every login attempt in a database with the time and IP, username used etc and then dont allow the form or process page of the login be loaded until a timeout period has passed - so it stops brute forcing - and then if there are 3 attempts from the same IP in 100 seconds dont let them see the login form.

This way you also have a log of whats been happening on your site, and the same table can be used elsewhere to log other events.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Yep. Excellent advice, kettle_drum.

That's a very good administration strategy for user management applications.
feha
Forum Newbie
Posts: 5
Joined: Tue Oct 19, 2004 7:11 am
Location: Sweden

Sessions

Post by feha »

You can use sessions to store attempts ...
than check and ban it from the session.
Attacker needs to close browser to try again ...
You can extend this after x attempts and session ban store him in ban ip DB forever or for x amount of time ...

http://www.vision.to
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Hi,

right. That's what I meant with denying access - depending on banned IP don't even show the login form, so you don't need login slowdowns with sleep();

djot
-
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Yeah, but the stopping is just as important as the logging. You want to KNOW that people are trying to break into accounts so you can take further actions - as if you dont notice them doing it, then they can continue - just slowed down a bit.
feha
Forum Newbie
Posts: 5
Joined: Tue Oct 19, 2004 7:11 am
Location: Sweden

Post by feha »

feyd | Help us, help you. Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Code: Select all

if(CCGetSession("BANNED".SUFFIX) == 1)
{
echo "ACCESS DENIED!";
exit;
}
you put this in common file...

part of thr code

Code: Select all

if(!CCLoginUser($LogIn_inc->Login->login->Value, $LogIn_inc->Login->password->Value))
    {
        $LogIn_inc->Login->Errors->addError("LNG_LOGIN_ERROR_0.");
        
		if(defined("USE_HACKLOG") && USE_HACKLOG==1)
        {
		if(CCGetSession("HACK_TRY".SUFFIX)==""){CCSetSession("HACK_TRY".SUFFIX,0);}
		CCSetSession("HACK_TRY".SUFFIX,CCGetSession("HACK_TRY".SUFFIX)+1);

        if(CCGetSession("HACK_TRY".SUFFIX) == MAX_LOGIN)
		{
		
		hack_logger ( $_SERVER["REQUEST_URI"], get_real_ip(), $_SERVER["HTTP_USER_AGENT"], $_SERVER["HTTP_REFERER"], "Invalid Userid : ".$LogIn_inc->Login->login->Value." Or Password : ".$LogIn_inc->Login->password->Value);
        echo "HACK ATTEMPT !? <br>THIS ATTEMPTS HAS BEEN LOGGED FOR FURTHER INVESTIGATION.";
		exit;

		}
		$LogIn_inc->Login->Errors->addError("Login ATTEMPT ".CCGetSession("HACK_TRY".SUFFIX));
		}
using at http://www.vision.to

regards
feha


feyd | Help us, help you. Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Post Reply