Block user on 5 unsuccessful login attempts

Question

I need to block a user after 5 unsuccessful login attempts. I have a table named "login_attempts" which has 3 columns "userid", "user", "attempts". Also I have a .php script which checks the credentials of a user like 'username' and 'password' and if the user is typing the password incorrect, he/she will be given the chance 5 times. Now probably everything is working fine even the data is also getting saved in the “login_attempts” table but after 5 unsuccessful login attempts I need to block the user for 15 mins…how is that done…please help. I have 2 separate files “process.php” and “login.php”. Please guide me…

thanks

http://stackoverflow.com/questions/9866493/block-a-user-after-a-specified-number-of-failed-logins — Stepo, Mar 14 '13 at 20:41
If there are 5 login attempt entries in the table, with the most recent entry no older than 15 minutes, dismiss any login attempts. If there are 5 login attempt entries in the table, and the most recent attempt is older than 15 minutes when the current login attempt is being made, clear the entries in the table and allow the login attempt. — Asad Saeeduddin, Mar 14 '13 at 20:42
possible duplicate of [blocking login after X failed attempts](http://stackoverflow.com/questions/3176515/blocking-login-after-x-failed-attempts), [Best way to implement ban after too many login attempts](http://stackoverflow.com/questions/9153554/best-way-to-implement-ban-after-too-many-login-attempts), [How can I throttle user login attempts in PHP](http://stackoverflow.com/questions/2090910/how-can-i-throttle-user-login-attempts-in-php) — Kermit, Mar 14 '13 at 20:43

score 2 · Answer 1 · answered Mar 14 '13 at 20:44

Add a timestamp field in your login_attempts table that tracks when the user last tried logging in as well as the number of attempts. When you authenticate the user, check if the attempts field is 5 or more and when s/he last tried to log in. If the last attempt was less than 15 minutes ago, deny the request. Don't forget to reset the count when the user successfully logs in.

score 0 · Answer 2 · answered Mar 14 '13 at 20:43

0

One possible solution is to add another field to the DB called next_available_retry_time (or whatever you like). When attempts == 5, set the next_available_retry_time to 15 minutes in the future and reset attempts to 0 (so it can restart).

Then in your code, before you test the username, password, check that now() > next_available_retry_time. If it's not, reject the login attempt. Otherwise, continue with your existing logic.

answered Mar 14 '13 at 20:43

Blake Schwendiman

442
1
4
9

In my login.php I have used this code. session_start(); if(isset($_SESSION["count"])){ if($_SESSION["count"]>=5){ echo '
Too many invalid login attempts
'; exit; } } require_once("./include/config_membersite.php"); if(isset($_POST['submitted'])) { if(isset($_SESSION["count"])){ $_SESSION["count"] = $_SESSION["count"] + 1; } else{ $_SESSION["count"] = 1; } if($getmembersite->Login()) { unset ($_SESSION["count"]); $getmembersite->RedirectToURL("login-home.php"); } } – abhishek pramanik Mar 14 '13 at 21:02

score 0 · Answer 3 · answered Mar 14 '13 at 20:43

I would add a column to the login_attempts table for last_attempt and then when you're authenticating add a check to see if

attempts > 5
last_attempt in the past 15 minutes

If both of those are true, don't allow user to login

If last_attempt is older than 15 minutes, reset attempts to 1 and attempt to authenticate again

Sorry for the pseudocode, hope it helps.

Block user on 5 unsuccessful login attempts

3 Answers3

Too many invalid login attempts