3

Guys I have a simple customer login page in ASP.net (C#) which has 2 textboxes and a button, one for username and the other for password and button for submit.

Upon pressing submit, the password textbox text is encrypted and then compared with the encrypted value of password already stored in DB.

Now what I want to do is, upon each unsuccessful login attempt, it should display a message like "x tries remaining out of 5". When all 5 tries are used, it should ban the user's ip for 1 hour.

How should I approach this? I am pretty new to ASP so I have no idea on how to get user IP and then block it for 1 hour. After 1 hour has passed, the ip should be unblocked automatically.

Any help will be appreciated.

P.S I am not looking for anything much complicated. I am new to this so something complicated will not be in my grasp.

NewbieProgrammer
  • 874
  • 2
  • 18
  • 50
  • 1
    You need to LOG user requests into a database, you have to do alot of reading first. – highwingers Mar 18 '14 at 06:32
  • Keep in mind, that a lot of people may share one public IP, in corporate structures for example. You must be careful not to accidentally lock out hundreds of users because one forgot his password. – Alexander Mar 18 '14 at 06:44
  • Also, you must NEVER ever store unencrypted passwords in your database. That's just a major disaster waiting to happen! – Alexander Mar 18 '14 at 06:45
  • @Alexander : So how should I approach this? I don't want a simple log in with no security what so ever. btw I am encrypting the password textbox and then comparing it with encrypted value stored in db. Sorry for that. – NewbieProgrammer Mar 18 '14 at 06:51
  • A common pattern is to disable user accounts (not IPs) for a certain amount of time after a number of failed logins. You can also send an e-mail to the account owner. – Alexander Mar 18 '14 at 06:56
  • @Alexander I see, what if I apply captcha to my login page? It will atleast stop brute force attacks, right ? – NewbieProgrammer Mar 18 '14 at 08:18
  • Yes, but that is a constant fight against hackers getting smarter, too. – Alexander Mar 18 '14 at 09:21
  • block-user-ip-after-5-unsuccessful-login..Refer This link [Here](http://stackoverflow.com/questions/30369529/block-request-for-multiple-unsuccessful-logins-for-a-period-of-time/") – Benjamin Jun 16 '15 at 09:14

1 Answers1

2

You should log failed attempts to a table, when the number of rows in that table exceeds the failed number of login attempts you should display an error message to say the user is locked out.

When the user has regenerated their password, remove the records from the table.

Sorry, just saw your other request for the IP address. In a web application you can use the following property from the HttpContext:

HttpContext.Current.Request.UserHostAddress
Paul
  • 3,072
  • 6
  • 37
  • 58