Hi all,
I need some suggestions and help with an issue I am facing. I have a login page for users. I want to track the Number of unsuccessfull login attempts made by the user and once the count is 3, I want to block the account.
What is the best way to do this ? Thanks in Advance:)
I’m guessing you’re using a database for your users.
What you’d typically do is add two columns (if you don’t have them already): numFailedLoginAttempts and active.
In the login script you only find those users who are active.
E.g., the query to find the users becomes something like
SELECT password FROM user WHERE username={username} AND active=1
Now, if you find the user, but the password is incorrect, you increase numFailedLoginAttempts by 1
Once numFailedLoginAttempts hits 3, you set active to 0 (false)
If you do it this way, take care that when a user is successfully logged in, you reset his/her numFailedLoginAttempts to 0. Otherwise if I login incorrectly once today, once next week, and once the week after that, I’m also blocked.
BTW, I nicer approach would be to block the user for a certain amount of time (say 30 minutes) when he/she has her password wrong 3 times.
This still prevents brute-force attacks, while the user doesn’t loose his account, and has to contact you to fix it.
For this you would need some column blockedUntil (datetime)
I’m sure you can figure this out using the example above
What if the user itself is not found, (may be because the email Id or the username itself is wrong). Considering such login fail also as an attempt is good?
True.
Then you would need an extra table with IP, numFailedLoginAttempts, and remove all entries where IP={visitors IP} on succesful login.