0

I have a form like that for logging in:

<form action="form.php" method="post">
    <input type="text" name="name" placeholder="Type your name">
    <input type="password" name="password" placeholder="Type your password" >
    <input type="submit" name="submit" value="Login">
</form>

I want to add Google Recaptcha only if the user is trying to login more than 3 times for example:

<form action="form.php" method="post">
    <input type="text" name="name" placeholder="Type your name">
    <input type="password" name="password" placeholder="Type your password" >
    <?php
        if(){ // Check if submitted more than 3 times.
            <div class="g-recaptcha" data-sitekey="=== Your site key ==="></div>
        }
    ?>
    <input type="submit" name="submit" value="Login">
</form>

I'm thinking of using Cookies, After validating and login fails add a cookie with value = 1 and if this cookie exists, Increase by 1.

if( isset($_COOKIE['tries']) ){
    createcookie('tries', $_COOKIE['ties'] +1 );
}else{
    createcookie('tries', '1');
}

But what if the cookies are disabled?!

Also I'm thinking of using the IP Address , Create a table with IP Addresses of users trying to login and the login fails:

__________________________________
|        |          |             |
|   ip   |   count  |   date      |
|________|__________|_____________|

Where count is the login fails times and date is today date, So if it's today date and the count > 3, Show the Recaptcha.

But what if the user is using a VPN?

Is there is a reliable way for doing that?

How does stackoverflow do that?

alexP
  • 3,672
  • 7
  • 27
  • 36
  • 1
    Store the IP, set a parameter in localStorage, set a cookie... – alexP Jul 20 '18 at 19:03
  • IMO it's as simple as creating a table with userid and miss count. – ControlAltDel Jul 20 '18 at 19:03
  • @ControlAltDel, But what exactly would detect the user to give him an id? –  Jul 20 '18 at 19:04
  • 1
    @ControlAltDel, If you mean the username, What if he is trying to guess multiple usernames –  Jul 20 '18 at 19:05
  • @Dan I do mean username. "What if he is trying to guess multiple usernames" - I don't know how a hacker could be successful trying to guess both the username and the password; there are too many combinations. But using cookies or localstorage are unlikely to deter such a hacker, as they can be cleared by the user, or otherwise ignored if the attack is orchestrated programmatically – ControlAltDel Jul 20 '18 at 19:10
  • I track both IP and username, and disable logins from one or the other after a certain number of attempts (and only for a limited time of course). So if the same IP is hammering random usernames, or random IPs are hammering a single username, I catch both. Random IPs hammering random usernames is kind-of intractable. – Pointy Jul 20 '18 at 19:12

2 Answers2

0

How about sessions?

Increment a variable in your session every time a login is processed. Then check the session var and if it's greater than 3, show the recaptcha.

session_start();
$_SESSION["logins"]++;

---

if($_SESSION["logins"] >= 3)...
Liftoff
  • 24,717
  • 13
  • 66
  • 119
  • Does it work if the user is using a software not entering the data manually from the browser? –  Jul 20 '18 at 19:09
  • 1
    Sessions are stored on the server. It doesn't matter what the client is using. https://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used – Liftoff Jul 20 '18 at 19:11
0

Without client-side cookies, you'd need a database table with an ip, last-attempt and attempts.

  • If the last-attempt is over 5 minutes old, reset attempts to 0.
  • Set last-attempt and attempts+1
  • If attempts is > 3 show the captcha

Unless you have a lot of users behind a corporate firewall the above should work. You can also use cookies if the client will take them with session, etc.

Tracker1
  • 19,103
  • 12
  • 80
  • 106