how to block user after 3 login attempts?

Question

how to block user after 3 login attempts ?

Here is my code :

session_start();

        /************Connexion************/

    if(isset($_POST['cnx'])){
    require_once('../config.php');
    $db = new DBSTOCK();
    $cnx = $db->connect();
    $user=$_POST['user'];
    $pass=$_POST['pass'];
    // To protect from MySQL injection for Security purpose
    $user = strip_tags($user);
    $pass = strip_tags($pass);

    $user = stripslashes($user);
    $pass = stripslashes($pass);

    $user = mysqli_real_escape_string($cnx,$user);
    $pass = mysqli_real_escape_string($cnx,$pass);

    $q=mysqli_query($cnx,"select * from admin where user='".$user."'");

    $row = mysqli_fetch_array($q); //or die(mysqli_error($con));
    $pw = $row['pass'];//hashed password in database
    $username = $row['user'];


    if($user==$username && password_verify($pass, $pw)) {
    $_SESSION["user"]=$user;
    header("Location: ../view/accueil.php");
    }
    else{
    header("Location: ../index.php?failed=0");
    }}


        /************Deconnexion************/

         if(isset($_GET['decnx'])){

         session_destroy();
         session_unset();

         header("Location: ../index.php");
    }

any script suggestion i can add to my code so a user can be blocked for 10 minutes after 3 consecutive failed login attempts ?

please have a look [here](http://stackoverflow.com/questions/30770438/blocked-the-user-after-3-attempts-in-php) and [here](http://stackoverflow.com/questions/14035845/how-to-blocked-login-a-few-minutes-after-3-unsuccessful-login) — Chandan Rai, Nov 02 '16 at 19:51

TravisO · Accepted Answer · 2016-11-02T20:16:19.437

4

Add the following two columns to your row:

last_attempt as a datetime
attempt_count as an int

In your login logic, check these two values, if it's 3 or more and within the time frame (ex: 10mins), then update last_attempt and increment attempt_count, this second part is not necessary but you might want to know this. If it's been more than 10mins, then set attempt_count back to 0 if they pass or 1 if they fail and update last_attempt again.

As a bonus, you now also know the last time the user logged in, which is useful when you want to find unused accounts.

edited Nov 02 '16 at 20:16

answered Nov 02 '16 at 19:49

TravisO

9,406
4
36
44

Could you please give an example – Miloud BAKTETE Nov 02 '16 at 20:39
1

@baktetemiloud I just explicitly explained what to do, I'm not going to do your work for you, you'll never learn if you can't take concepts and turn them into code. – TravisO Nov 03 '16 at 14:36
i was working on it last night this solution is better than the cookie thank you – Miloud BAKTETE Nov 03 '16 at 17:33
@baktetemiloud users can edit their cookie, never use them for anything important – TravisO Nov 03 '16 at 19:55

score 0 · Answer 2 · answered Nov 02 '16 at 20:00

0

There are so many ways to do that. If you want to block the device then you can create a cookie for 10 mins, and set a condition if username matched then it will not hit the database for log in.

Or if you want to block for any device for that user, then you have to maintain the user status, where three consecutive failure attempt will change user status and the time when it is blocked. But this time you have check whether the blocked time was 10 mins before or not for every login attempt.

answered Nov 02 '16 at 20:00

Jaber

277
2
10
30

You'd be much better off using server-side locking, rather than client side (with a cookie), as cookies can be modified by the user. TravisO's answer is very simple, and would arguably be much safer. :) – XtraSimplicity Nov 02 '16 at 20:02

how to block user after 3 login attempts?

2 Answers2