Mudsaf Posted December 17, 2012 Share Posted December 17, 2012 (edited) Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page <?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt'] < 6) {} else {//Form here}?> Login confirm page <?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) { //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?> Read more about brute-force here http://en.wikipedia.org/wiki/Brute-force_attack Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage) http://en.wikipedia.org/wiki/SQL_injection Edited December 17, 2012 by Mudsaf Link to comment Share on other sites More sharing options...
Ingolme Posted December 17, 2012 Share Posted December 17, 2012 Sessions rely on the user sending a cookie or query string. A brute force attacker could just not send them. I think systems have a field in the database "number of failed login attempts" which resets to 0 upon successful login or after a certain time has passed (perhaps there's also a "last login attempt" field with the timestamp). When that number is above a certain value logins will no longer be accepted until a certain amount of time has passed after the most recent login. 1 Link to comment Share on other sites More sharing options...
Mudsaf Posted December 18, 2012 Author Share Posted December 18, 2012 Thank you for your reply it was helpful for me , but i'm still wondering if brute-force attacks are possible to prevent with ip-adress blocking & not account blocking? Link to comment Share on other sites More sharing options...
Ingolme Posted December 18, 2012 Share Posted December 18, 2012 You could store the IP address of the person that's trying to log in and block it after a certain amount of failed attempts as well. But because the IP could belong to a legitimate user who forgot their password you should make sure to unblock it after a certain amount of time. Link to comment Share on other sites More sharing options...
Mudsaf Posted December 19, 2012 Author Share Posted December 19, 2012 Alright, thanks because the latest way would be best choice for me. Because if i would do the other way anyone could just try connecting with my account and neither i or anyone else could try to login to my account. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now