brendan-amex
asked on
Show alert after 3 wrong login attempts
So, I'm trying to create an if/else statement that sends a warning to someone who has tried more than 3 invalid login attempts. When someone tries to login it looks to a MySQL db and if a username with that password matches, it forwards them on. But if it’s wrong I want it to begin a count and then at 4 wrong attempts display an error message. So right now, here’s what I have:
On the login page:
<login form>
if ($i>3) {echo “error message”;}
On the check login info page:
if (login is right)
{ assign variables and pass on}
else
{ $i++;}
Any help would be appreciated!
On the login page:
<login form>
if ($i>3) {echo “error message”;}
On the check login info page:
if (login is right)
{ assign variables and pass on}
else
{ $i++;}
Any help would be appreciated!
Sessions only works if your record the 3 attempts in the database. Otherwise someone could just close the browser and get 3 more sessions. A hacker would figure that trick out quickly and just destroy the session variable using software.
What I would do is record the attempts in the database record belonging to the user.
The simple approach is to simply keep a counter in the database record. Be sure you reset the counter to 0 if the login attempt is successful. If the counter gets to 3, then lock the account, produce instructions on how to unlock it, etc.
A more complicated approach has the counter but also records the time of each login attempt (successful or not). You'd keep a history of at least 3 but it could be more, like 10. This might help if you wanted to investigate further.
What I would do is record the attempts in the database record belonging to the user.
The simple approach is to simply keep a counter in the database record. Be sure you reset the counter to 0 if the login attempt is successful. If the counter gets to 3, then lock the account, produce instructions on how to unlock it, etc.
A more complicated approach has the counter but also records the time of each login attempt (successful or not). You'd keep a history of at least 3 but it could be more, like 10. This might help if you wanted to investigate further.
ASKER
I see, recording it in a database makes sense but what if a couple people enter a wrong password at the same time and then it locks out for all of them? Could I grab the IP address from the computer and put that in the database as well to associate with it....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand what you're saying now. I have a CAPTCHA come up after 3 wrong attempts from the same IP address. Hopefully this helps against bot attacks. Thanks for your help.
Open in new window