Suggestions required: Admin security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Suggestions required: Admin security

Post by raghavan20 »

1. I want to restrict a user from logging into the admin page if they fail continously for five times
Should I do it by logging the failed attempts in a session variable
and then finally after five attempts I put an entry into the db with the date and the address of remote host so that the next time they try I issue a message saying login after thirty minutes from now.

After thiry minutes from then the user should be able to login from the same computer as I compare with the date with the previous entry which shd be alright by now.

2. I want the admin session to expire after thirty minutes of inactivity, how do I do that?

3. Do I have to take control of session hijacking for the admin page?
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Post by Stryks »

1. Personally, I wouldn't use sessions to track the attempts at login, nor would I use the remote host as a means of identifying a user.

Using sessions would give an attacker the ability to simply clear the session cookie (or delete the session ID from the url) giving them a clear shot at brute forcing the password (should they be so inclined). You could potentially then try to tag that user by means of remote host or equivalent, but if you take a look around for mentions of user fingerprinting, you'll see the many arguments against this method (ie. ip's can change for numerous legitimate reasons).

Far better would be to write each failed attempt to a database, storing the username, attempt count and timestamp (time()).

For each subsequent visit, check to see if the username exists, and update the counter by one and update the timestamp.

Before each login is processed, simply query the database for the username, and you will know how many login attempts have been made, and the time of the most recent attempt.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

its not the normal case where i have to track the user login attempts rather its about the admin page.

so the username is the same anytime everywhere so i cannot store username.

moreover i dont want them to attempt to login from the same pc(suppose admin login attempt is from a diff country but i want to allow login from a legitimate user from the corporate itself) for thirty minutes. if i update the counter and when it comes to 5, i stop the user from loggin in again. but if the user tries to login after half an hour after the counter was 5 how i am goin to allow the user to login.

how can I run a script where i keep checking and resetting the counter if it has been more than half an hour since the last attempt so that he can start attempting login anew.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

On a login attempt

Code: Select all

mysql_query("insert into `attempts` (`user`, `time`) values ('$user', $time) ; ");
To check the logins in the last 1/2 hour

Code: Select all

$halfhour=time()-(60*30);
$result=mysql_query("SELECT count(*) FROM `attempts` WHERE `time` > $halfhour ; ");
A little garbage collecting

Code: Select all

$halfhour=time()-(60*30);
$result=mysql_query("DELETE FROM `attempts` WHERE `time` < $halfhour ; ");

EDIT: Got my comparison operators reversed :-(
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

cheers, thats a good logic mate. do you want to put the garbage collecting code in the login page itself and wanted it to be executed first in the file.

But our idea still doesnot address the issue, what if someone illegitimate makes attempts and we disable access but at the same time we are preventing access to a legitimate user who wants to have access to admin page all the time.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You could have a locked out user verify that it is indeed them via email when they're locked out.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

If your going to contact the real "user" saying his account is locked out, I would generate some sort of 32 char "Key" and store it in the users row.

Then in the email provide them with a link to regenerate their account. Once the link is submitted validate it against the key in the database. Once validated remove the key.

This way, if the user is authentically trying to remember his password he is not limited by the number of attempts while some one trying to brute force the login will be limited.
Post Reply