restricting user login attempts

Hi everybody -

I'm developing a database driven website on Unix using PHP and MYSQL.



Users are required to register and are then allocated a username and password. In order to purchase items from the site, users are required to login using username and password.



I want each user to be able to attempt login no more than 3 times - on the third attempt, if the username is wrong, the account is locked out.



Any ideas on the best way to do this - i.e. keep track of the number of attempts? I thought of adding a LOGIN_ATTEMPT_NO to the USER table and incrementing it each time a login is attempted. But no sure is this is the best way.



Was also thinking about using php session vars but presume these get reset at end of session, so if user restarts computer or exits and reenters site, vars will be reset. I want them to remain locked out until they contact system admin to reset the account



All advice appreciated

Thanks very much



LS

Hi nomolos,

I like the extra field in your user table idea better. Using sessions to calculate failed logins is too easily hacked (eg cookie tampering, restarting their computers, etc.)

OK - thanks will run with that unless anyone else got any bright(er) ideas???

It'll be difficult to block a user if they get their username wrong, but you can block them when they enter the wrong password 3 times in a row. I store the failed_login_count in a database, along with a blocked_until column.



That way you can block them for say, an hour instead of blocking them outright.



Regards,

Alex

Ok, I use something almost identical on a site. In my user table, I have a disabled column which is typically empty.

I only keep up with consecutive attempts during a session though. Yes, it resets the count when the person closes the browser, but if they disable thier account during that period then they are required to contact administration to have the account re-enabled.



This is the basics of the script:

1) Select the password and disabled fields from the user table.

2) If disabled is set, then inform user account is disabled and quit

3) If not disabled, check if passwords match

4) If not matched, check the login attempt count and increment the login attempts

5) If the login attempts are >= max attempts (3) then disabled account and notify user

6) If login attempts are < max attempts, notify user of bad password

7) if matched then let them in

ok i get it



thanks

Through the user table, create a field as per my example above, everytime you check an account also check this disabled field.

yea sorry i was being thick - that's why i edited above.



all good.



ta