/    Sign up×
Community /Pin to ProfileBookmark

Secure Login with PHP

Copy linkTweet thisAlerts:
Jan 04.2007

Hey,

I’ve been working on a secure login. Using sessions. It goes like this

Check if the user name and password match in the database and the wrong attempts are less than 3 (this is a column that holds how many wrong attempts made trying to log in)

If yes
Log them in using the sessions
Also add a row into the login table with login information
Forward them to the main page

If not,
Update the user wrong attempts + 1 from what it is in the table with the same user name. (this is only if a user with the same name someone tried to login with exists)

My question is how would i make it so that even if the user name doesn’t exist, I still don’t let the user / hacker login.

Should i have a different table with ip addresses. And then add their ip address to a lock for 24 hours on logging in?

Or should I just send a cookie to their computer not allowing them to log in for 24 hours?

Any advice would be great, Thanks.

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@NightShift58Jan 04.2007 — You could add a [b]datetime[/b] and update it with [b]NOW()[/b] every time the user logs in or attempts to log in. If the bad count goes to 3 or more, you can check that date/time and decide if enough time has elapsed.

You don't mention it and perhaps you're already doing this, but on a successful login, you probably want to reset the count to 0.
Copy linkTweet thisAlerts:
@tariqjamalauthorJan 04.2007 — Yup, the count is being reset to 0.

The only thing is. Lets say the user logs in with a username that isn't in the database.

Then the count shouldn't increase by 1, because it can't increase wrong attempts on a username that doesn't exist.

So should i instead have a table with ip addresses and each time a wrong attempt is made from the up address then increase the number in the wrong attempts table?
Copy linkTweet thisAlerts:
@NightShift58Jan 04.2007 — I don't know about that. IP numbers can change and I don't know if you want/should block someone on that basis. You may want to keep track of that for while to see if it's really a problem.

The idea being blocking attempts has to do with someone knowing a user name and trying to "crack" the password. Those are the ones you would want to block so that they can't just keep trying until they get it right.
Copy linkTweet thisAlerts:
@tariqjamalauthorJan 04.2007 — Hey,

What I'm trying to do is implement the following principles in my code

[URL=http://www.developertutorials.com/tutorials/php/secure-website-login-060817/page1.html]Secure website logins part 1[/URL]


[URL=http://www.developertutorials.com/tutorials/php/secure-website-login-060817/page2.html]Secure website logins part 2[/URL]

Part 2 is more extreme, and that's where i'm at right now.

What I think I may do is create a database that has the number of attempts from an ip address and then if 5 incorrect requests are made from an IP address within the last 1 hour then block that ip address.

I am working on step 3.. with the ip address restriction after 3 tries.

HOW DO I DO THIS (STEP 4)

Use .htaccess and .htpasswd to double protect a site

In addition to a basic PHP login page that asks for authentication, put in place .htaccess and .htpasswd restrictions. It's pretty flimsy, but adds that little bit of extra security to make you feel safe at night.

Thanks.
Copy linkTweet thisAlerts:
@tariqjamalauthorJan 06.2007 — Any more ideas?
×

Success!

Help @tariqjamal spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.11,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...