PHP
Article

Watch: Prevent Brute Force Attacks on a Login Page

By Lami Adabonyan

Learn how to protect your PHP applications from Brute Force Attacks. I’ll show you how in this screencast.

Loading the player…

  • Паша

    You saving the data in user’s session? Really?

    So to bypass this protection I should just reset my session ID in browser or just generate new one every time my script brute forces the login form…

    • http://mrxxiv.com/ Terrence Campbell

      Same thought. I believe temporarily storing the IP address along with the session ID inside the database is way stronger than this. I can’t even stand cookies when it comes to security.

      Honestly, I’d rather just whitelist my own IP address and block all the others if that’s what it takes to keep my logins safe from multiple risks.

      • Паша

        IP or session id has nothing to do with it, cause you can fake it. So only user ident and login stats in db on server side.

        • http://careersreport.com careersreport.com

          Here! is a good way how it’s possible to earn ninty-five dollars an hour… After being unemployed for half-a-year , I started working over this website and now I possibly can not be more happy. 3 months have passed since being on my new job and my income is around five-thousand $/month If this interests you: 1)navigate to the website link in description

      • Паша

        “I’d rather just whitelist my own IP address and block all the others”
        Wont work if you want to protect your customers accounts.

    • M S i N Lund

      Yep.
      This is a really bad design.
      It pretty much just annoys regular users, while being transparent to real attackers.

      If you are serious about something like this, you have to suck it up and use a database or similar, to store things in.

      You need to be able to act based on the username alone, regardless of IP-addresses or sessions , or other things that you have no control over.

      • http://careersreport.com ruth_boyer2

        Here is a extremely fabulous way how U can earn $97 /h… After searching and doing research for a job that suits me for half a year , I started freelancing over this internet company and now I could not be more happy . After 4 months doing this my income is around $5500/a month If this interests you: 1)navigate to the site link in the description

    • mrLami

      Паша You’re correct… merely having a script that clears it’s session every try will bypass this. This was no intended to be an advanced bullet proof approach to preventing brute force.

      If you’re running a sizeable web app you want to track the attempts by IP and store them in a database (to avoid issue you raised about sessions).

      TY for feedback!

      • Паша

        mrLami, my friend, You are talking about a script clearing sessions, but a script it is just couple of lines of code which do not support sessions by default, meaning every new request is a new session. So this solution does not work at all.

  • mrLami

    Nice writeup… TY for sharing.

    I agree no method of rate limiting or throttling will be enough if a strong password policy is not enforced.

  • http://splitfire.fr/ Benoit Jacquot

    This tutorial is really dangerous.
    I hope nobody will apply this design in production.
    I think the author must upgrade this screencast with username, ip lock strategy in Redis Cluster or something else

Recommended

Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Get the latest in PHP, once a week, for free.