Page 1 of 1
Suggestions required: Admin security
Posted: Wed Jul 27, 2005 6:28 am
by raghavan20
1. I want to restrict a user from logging into the admin page if they fail continously for five times
Should I do it by logging the failed attempts in a session variable
and then finally after five attempts I put an entry into the db with the date and the address of remote host so that the next time they try I issue a message saying login after thirty minutes from now.
After thiry minutes from then the user should be able to login from the same computer as I compare with the date with the previous entry which shd be alright by now.
2. I want the admin session to expire after thirty minutes of inactivity, how do I do that?
3. Do I have to take control of session hijacking for the admin page?
Posted: Wed Jul 27, 2005 6:48 am
by Stryks
1. Personally, I wouldn't use sessions to track the attempts at login, nor would I use the remote host as a means of identifying a user.
Using sessions would give an attacker the ability to simply clear the session cookie (or delete the session ID from the url) giving them a clear shot at brute forcing the password (should they be so inclined). You could potentially then try to tag that user by means of remote host or equivalent, but if you take a look around for mentions of user fingerprinting, you'll see the many arguments against this method (ie. ip's can change for numerous legitimate reasons).
Far better would be to write each failed attempt to a database, storing the username, attempt count and timestamp (time()).
For each subsequent visit, check to see if the username exists, and update the counter by one and update the timestamp.
Before each login is processed, simply query the database for the username, and you will know how many login attempts have been made, and the time of the most recent attempt.
Posted: Wed Jul 27, 2005 7:08 am
by raghavan20
its not the normal case where i have to track the user login attempts rather its about the admin page.
so the username is the same anytime everywhere so i cannot store username.
moreover i dont want them to attempt to login from the same pc(suppose admin login attempt is from a diff country but i want to allow login from a legitimate user from the corporate itself) for thirty minutes. if i update the counter and when it comes to 5, i stop the user from loggin in again. but if the user tries to login after half an hour after the counter was 5 how i am goin to allow the user to login.
how can I run a script where i keep checking and resetting the counter if it has been more than half an hour since the last attempt so that he can start attempting login anew.
Posted: Wed Jul 27, 2005 7:43 am
by josh
On a login attempt
Code: Select all
mysql_query("insert into `attempts` (`user`, `time`) values ('$user', $time) ; ");
To check the logins in the last 1/2 hour
Code: Select all
$halfhour=time()-(60*30);
$result=mysql_query("SELECT count(*) FROM `attempts` WHERE `time` > $halfhour ; ");
A little garbage collecting
Code: Select all
$halfhour=time()-(60*30);
$result=mysql_query("DELETE FROM `attempts` WHERE `time` < $halfhour ; ");
EDIT: Got my comparison operators reversed

Posted: Wed Jul 27, 2005 9:04 am
by raghavan20
cheers, thats a good logic mate. do you want to put the garbage collecting code in the login page itself and wanted it to be executed first in the file.
But our idea still doesnot address the issue, what if someone illegitimate makes attempts and we disable access but at the same time we are preventing access to a legitimate user who wants to have access to admin page all the time.
Posted: Wed Jul 27, 2005 3:30 pm
by Ambush Commander
You could have a locked out user verify that it is indeed them via email when they're locked out.
Posted: Wed Jul 27, 2005 3:46 pm
by John Cartwright
If your going to contact the real "user" saying his account is locked out, I would generate some sort of 32 char "Key" and store it in the users row.
Then in the email provide them with a link to regenerate their account. Once the link is submitted validate it against the key in the database. Once validated remove the key.
This way, if the user is authentically trying to remember his password he is not limited by the number of attempts while some one trying to brute force the login will be limited.