This question already has answers here:
Closed 7 years ago.
Possible Duplicate:
Limiting user login attempts in PHP
I'm trying to put some security in login to block user access after 3 failed attempts to login.
For example, if a specific user attempts to login with wrong username or password 3 times, I should show the dialog or message that the user needs to try again after 10 minutes (as an example)
Than after 10 minutes, the user can login again with correct username and password.
How do I do that?
The simplest way is using SESSION to store number of fail login, for each times user login use wrong username or password, increase your count. it like that:
if(isset($_SESSION['num_login_fail']))
{
if($_SESSION['num_login_fail'] == 3)
{
if(time() - $_SESSION['last_login_time'] < 10*60*60 )
{
// alert to user wait for 10 minutes afer
return;
}
else
{
//after 10 minutes
$_SESSION['num_login_fail'] = 0;
}
}
}
$sucess = doLogin() // your check login function
if($success)
{
$_SESSION['num_login_fail'] = 0;
//your code here
}
else
{
$_SESSION['num_login_fail'] ++;
$_SESSION['last_login_time'] = time();
}
But, user can bypass it by turn off browser, then open again, all user's session wil be null. For more perfect , you can store num_login_fail and last_login_time in your database.
You can use the $_SESSION var to save the number of attempts with the time attempted. This would work only if the user still has the same session (e.g, didn't close the browser). Use a cookie if you want it to persist. Use a db value of the IP if you don't want the user to be able to avoid this, but this would be a problem if its a NAT or such. You may want to block an IP after 3 attempts failed logged with a $_SESSION var
In my opnion, Cookie or Session can solve your issue as well, but in my opinion, these ways are not perfect, especially if you are focus on secure. What will happened if user clear cookie ?
