Jump to content

Can sessions prevent brute-force attack?

Recommended Posts

Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page

<?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt']  < 6) {} else {//Form here}?>

Login confirm page

<?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) {  //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?>

Read more about brute-force here


Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage)


Edited by Mudsaf
Link to post
Share on other sites

Sessions rely on the user sending a cookie or query string. A brute force attacker could just not send them. I think systems have a field in the database "number of failed login attempts" which resets to 0 upon successful login or after a certain time has passed (perhaps there's also a "last login attempt" field with the timestamp). When that number is above a certain value logins will no longer be accepted until a certain amount of time has passed after the most recent login.

  • Like 1
Link to post
Share on other sites

You could store the IP address of the person that's trying to log in and block it after a certain amount of failed attempts as well. But because the IP could belong to a legitimate user who forgot their password you should make sure to unblock it after a certain amount of time.

Link to post
Share on other sites

Alright, thanks because the latest way would be best choice for me. Because if i would do the other way anyone could just try connecting with my account and neither i or anyone else could try to login to my account.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...