On 9 August 2010 14:04, Juan Rodriguez Monti <juan@xxxxxxxxxxxxxxxxxxxxx> wrote: > 2010/8/9 Richard Quadling <rquadling@xxxxxxxxx>: >> On 9 August 2010 13:30, Juan Rodriguez Monti <juan@xxxxxxxxxxxxxxxxxxxxx> wrote: >>> I thought that might be a good idea, to define a session variable >>> called ( failedattempts ), then check and if $failedattempts is >>> greater than, suppose, 4 ... >> >> As sessions are connected to a request through a session cookie, >> putting the failed attempts in the session for checking later is a bad >> idea. A script attempting to crack your security will most likely NOT >> be using cookies. So each request, all the many millions of them, will >> seem to be clean/virgin requests, not multiple attempts. Each request >> will create a blank new session with 0 previous attempts. > > Good point. Thanks. > > So, what should I use instead of sessions to check this ?. > > Juan > You could suspend the account after 3 bad logins. Nice and simple. A "FailedLoginsSinceLastLogin" counter against the account in the DB should be enough. If that exceeds your limit, then they can't login. They will have to re-authenticate in some other way. When that is successful, then the value can be cleared. Bob's way looks good. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
