Menu
Community /Pin to ProfileBookmark
@NogDogNov 15.2009 — #Certainly a hacker-bot could simply not send the session cookie and thus avoid your session check.
If the idea is to disallow mutliple invalid login attempts within a given time, I'd probably use the database for that. You could insert a record in a table with the login name and timestamp each time an invalid attempt is made. Then part of the login validation would be to check if there are more than X number of rows in that table for that login name within the last Y minutes/hours/days. You could also or instead record invalid login attempts by IP.
Prevent Multiple Login Attempts
I am building a login where the client is obsessed with high security….I want to be able to present the client with the features that I’ve implemented to make this area as secure as possible.
One of the things I want to present the client with is an implementation that prevents multiple login attempts. I set this up using sessions and counting login attempts, but I was wondering, if there was a bot attack (like a dictionary attack) against a login where hundreds of attempts were tried repeatedly….would they use they same session? I am thinking probably not (but I don’t know, I’m not a security expert). Furthermore…would they even use the same ip?
If the answers to both of the questions above are ‘not necessarily’ then I am thinking the best approach to do this is to prevent multiple login attempts using the same username in a short period of time.
I’m really looking for answers to the above two questions, mainly, however. Thanks in advance to anyone who helps.
Sign in
to post a comment1 Comments(s) ↴
0
@NogDogNov 15.2009 — #If the idea is to disallow mutliple invalid login attempts within a given time, I'd probably use the database for that. You could insert a record in a table with the login name and timestamp each time an invalid attempt is made. Then part of the login validation would be to check if there are more than X number of rows in that table for that login name within the last Y minutes/hours/days. You could also or instead record invalid login attempts by IP.