Mudsaf 17 Report post Posted December 17, 2012 (edited) Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page <?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt'] < 6) {} else {//Form here}?> Login confirm page <?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) { //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?> Read more about brute-force here http://en.wikipedia.org/wiki/Brute-force_attack Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage) http://en.wikipedia.org/wiki/SQL_injection Edited December 17, 2012 by Mudsaf Quote Share this post Link to post Share on other sites
Ingolme 1,012 Report post Posted December 17, 2012 Sessions rely on the user sending a cookie or query string. A brute force attacker could just not send them. I think systems have a field in the database "number of failed login attempts" which resets to 0 upon successful login or after a certain time has passed (perhaps there's also a "last login attempt" field with the timestamp). When that number is above a certain value logins will no longer be accepted until a certain amount of time has passed after the most recent login. 1 Quote Share this post Link to post Share on other sites
Mudsaf 17 Report post Posted December 18, 2012 Thank you for your reply it was helpful for me , but i'm still wondering if brute-force attacks are possible to prevent with ip-adress blocking & not account blocking? Quote Share this post Link to post Share on other sites
Ingolme 1,012 Report post Posted December 18, 2012 You could store the IP address of the person that's trying to log in and block it after a certain amount of failed attempts as well. But because the IP could belong to a legitimate user who forgot their password you should make sure to unblock it after a certain amount of time. Quote Share this post Link to post Share on other sites
Mudsaf 17 Report post Posted December 19, 2012 Alright, thanks because the latest way would be best choice for me. Because if i would do the other way anyone could just try connecting with my account and neither i or anyone else could try to login to my account. Quote Share this post Link to post Share on other sites
