On 9 August 2010 14:30, Juan Rodriguez Monti <juan@xxxxxxxxxxxxxxxxxxxxx> wrote: > Hi guys, > I would like to know what do you suggest to implement a limit for > failed login attempts. I use velocity control (or whatever it is called). After the first failed attempt, set a ban-period before another login is possible for the account - start at 1 second. After each consecutive fail, double the period. > I thought that might be a good idea, to define a session variable > called ( failedattempts ), then check and if $failedattempts is > greater than, suppose, 4 write to a Database ( ip, username and > last-time-attempt ). If ater that, the user/bot tries again to login > unsuccessfully, then the system should ban that user & ip combination. > > Some questions about this situation: > > - Do you think that is a good idea to use sleep() ?. No. That won't achieve much except annoy legitimate users. > - How should I send a 503 HTTP error to the user after 5 attempts ? user header(). I would send a 403 > - Is this a good idea to do all this work for this security purpose ? Making sure that noone can try bruteforcing an account is a good idea. Just make sure you cannot use this security measure to lock out an account. > - Do you know/suggest a better way to solve this? Velocity control, as stated. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
