PDA

Click to See Complete Forum and Search --> : Secure Login with PHP

tariqjamal
01-04-2007, 03:12 AM
Hey,

I've been working on a secure login. Using sessions. It goes like this

Check if the user name and password match in the database and the wrong attempts are less than 3 (this is a column that holds how many wrong attempts made trying to log in)

If yes
Log them in using the sessions
Also add a row into the login table with login information
Forward them to the main page

If not,
Update the user wrong attempts + 1 from what it is in the table with the same user name. (this is only if a user with the same name someone tried to login with exists)


My question is how would i make it so that even if the user name doesn't exist, I still don't let the user / hacker login.

Should i have a different table with ip addresses. And then add their ip address to a lock for 24 hours on logging in?

Or should I just send a cookie to their computer not allowing them to log in for 24 hours?

Any advice would be great, Thanks.
NightShift58
01-04-2007, 09:38 AM
You could add a datetime and update it with NOW() every time the user logs in or attempts to log in. If the bad count goes to 3 or more, you can check that date/time and decide if enough time has elapsed.

You don't mention it and perhaps you're already doing this, but on a successful login, you probably want to reset the count to 0.
tariqjamal
01-04-2007, 11:36 AM
Yup, the count is being reset to 0.

The only thing is. Lets say the user logs in with a username that isn't in the database.

Then the count shouldn't increase by 1, because it can't increase wrong attempts on a username that doesn't exist.

So should i instead have a table with ip addresses and each time a wrong attempt is made from the up address then increase the number in the wrong attempts table?
NightShift58
01-04-2007, 02:09 PM
I don't know about that. IP numbers can change and I don't know if you want/should block someone on that basis. You may want to keep track of that for while to see if it's really a problem.

The idea being blocking attempts has to do with someone knowing a user name and trying to "crack" the password. Those are the ones you would want to block so that they can't just keep trying until they get it right.
tariqjamal
01-04-2007, 02:41 PM
Hey,

What I'm trying to do is implement the following principles in my code

Secure website logins part 1 (http://www.developertutorials.com/tutorials/php/secure-website-login-060817/page1.html)


Secure website logins part 2 (http://www.developertutorials.com/tutorials/php/secure-website-login-060817/page2.html)

Part 2 is more extreme, and that's where i'm at right now.

What I think I may do is create a database that has the number of attempts from an ip address and then if 5 incorrect requests are made from an IP address within the last 1 hour then block that ip address.

I am working on step 3.. with the ip address restriction after 3 tries.

HOW DO I DO THIS (STEP 4)
Use .htaccess and .htpasswd to double protect a site
In addition to a basic PHP login page that asks for authentication, put in place .htaccess and .htpasswd restrictions. It's pretty flimsy, but adds that little bit of extra security to make you feel safe at night.

Thanks.
tariqjamal
01-05-2007, 10:42 PM
Any more ideas?