limiting login attempts of user

Question

i need help for limiting login attempt of the user. this is my code.

$login = login($username, $password);
        if($login === false) {
            if(isset($_COOKIE['login'])){
                      if($_COOKIE['login'] < 3){
                           $attempts = $_COOKIE['login'] + 1;
                           setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
                           $errors[] = 'That username/password combination is incorrect!';
                      } else{
                           echo 'You are banned for 10 minutes. Try again later';
                      }
            } else {
                   setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
             }

        } else {        
            $_SESSION['user_id'] = $login;
            header('Location: ../../home.php');
            exit();
        }

it looks right for me but it just wont work. the user could still access his/her account even after attempting 3 login.

Umm I'm not cookie expert but won't the user be able to circumvent this by deleting their cookie? — David Nguyen, Jan 28 '13 at 01:31
that's silly , clients can write/flush cookies, do it in the database — mpm, Jan 28 '13 at 01:34
so how will i do that in the database? i have no idea. please help :/ — arukiri123, Jan 28 '13 at 01:36
oh im just running this from the localhost so security doesnt matter for now — arukiri123, Jan 28 '13 at 01:36
*"oh im just running this from the localhost so security doesnt matter for now"* **Famous last words.** — Ayman Safadi, Jan 28 '13 at 01:42

score 4 · Accepted Answer · edited Aug 19 '16 at 02:49

Use an SQL database, im currently working on a snippet of code, give me about an hour and ill throw an exampl up for you

PHP:

<?php
$host = "";//Host name
$username = "";//MYSQL username
$password = "";//MYSQL password
$db_name = "";//Database name
$tbl_name = "";//Name of login table
$bl_name2 = "";//Name of table to store IP if attempt is incorrect

//connect to server and select database
try{
$conn = new PDO('mysql:host='.$host.';dbname='.$db_name.'',$username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);}
catch(PDOException $e){
echo 'ERROR: ' . $e->getMessage();}

//get users ip next, as this is for a log in, this example will show for username and pass also
$userIP = $_SERVER['REMOTE_ADDR'];
$userPassword = $_POST['passwordfromform'];
$userUsername = $_POST['usernamefromform']

if(empty($userUsername) && empty($userPassword)){
die("You must enter a username and password");
}

//check for log in excess
$checkSql="
SELECT * FROM ".$tbl_name2."
WHERE PostersIP = '".$userIP."'
";
$stmt = $db->query($checkSql);
$row_count = $stmt->rowCount();
if($rowcount >= 7){//change this number to reflect the nuber of login chances
die("You have tried to log in too many times");
}

//check to log in
$insertSql = "
SELECT * FROM ".$tbl_name."
WHERE USERNAME = '".$userUsername."'
AND PASSWORD = '".$userPassword."'";

//execute check query
$result = $conn->query($insertSql);
if($result != false){
echo "Username and Password were correct!";//link to correct page
}
else{
$incorrectSql="
INSERT INTO ".$tbl_name2."
(PostersIP) VALUES 
('".$userIP."')";
    $result2 = $conn->query($incorrectSql);
     if($result2 != false){
          die("You entered an invalid username or password, your attempt has been stored.");
        }
die("Error inserting data");
}
?>

I did not test this live, so there may be a few flaws, however i commented it pretty well for ya. you do need a second table to store user submission ips. this is a VERY messy way to do this. Im very sure there are better ways to do it, but theres my 10 minute solution :)

@arukiri123 no problem, something else you should keep in mind, is the user has a dynamic ip or uses a proxy, it makes this method a little less useful — Nick, Jan 28 '13 at 02:37
This code is vulnerable to SQL injection and will likely allow an attacker to take over the machine. Do not interpolate user-supplied strings ($userUsername, $userPassword) into an SQL statement. In PDO you must use https://secure.php.net/manual/en/pdostatement.bindparam.php — Cheekysoft, Sep 25 '15 at 15:39

score 1 · Answer 2 · edited May 23 '17 at 12:26

1

Use a database and I would suggest using IP address. check out this definitive way to get user ip address php

Capture the username, password and timestamp, record these to the table along whether failed or success. Set your parameters of when you want to ban them.

Add a check to you login script to check the IP address and only allow them to enter the details if that IP address hasn't been used for 3 failed attempts.

Obviously, you may need a new table for the banned IP address and the time when they are allowed to re-enter details.

edited May 23 '17 at 12:26

Community

1
1

answered Jan 28 '13 at 01:44

Iain Cheyne

11
3

1

There's a downside of using IP addresses though, and that is large networks: Schools, workplaces, hot spots etc. – thordarson Jan 28 '13 at 01:49
@thordarson - true enough. depends on application. I guess you could record the username in the same way and verify if the password and check if login was successful. - Valid point none the less. – Iain Cheyne Jan 28 '13 at 01:55

score 0 · Answer 3 · answered Dec 11 '17 at 17:44

I would just make another table that has cols: Username, Timestamp, Attempts. This would check the username for attempts within 10 min of the timestamp (set on the first attempt).

If ( attempts > max attempts then attempt login )
   { "Sorry to many attempts"
   else { Check login 
       if failed { Attempts++ } else (login success) { set attempts = 0 } 
(reset attempts counter)}
 }

limiting login attempts of user

3 Answers3