Jump to content
Sign in to follow this  
Mudsaf

Can sessions prevent brute-force attack?

Recommended Posts

Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page

<?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt']  < 6) {} else {//Form here}?>

Login confirm page

<?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) {  //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?>

Read more about brute-force here

http://en.wikipedia.org/wiki/Brute-force_attack

Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage)

http://en.wikipedia.org/wiki/SQL_injection

Edited by Mudsaf

Share this post


Link to post
Share on other sites

Sessions rely on the user sending a cookie or query string. A brute force attacker could just not send them. I think systems have a field in the database "number of failed login attempts" which resets to 0 upon successful login or after a certain time has passed (perhaps there's also a "last login attempt" field with the timestamp). When that number is above a certain value logins will no longer be accepted until a certain amount of time has passed after the most recent login.

  • Like 1

Share this post


Link to post
Share on other sites

Thank you for your reply it was helpful for me , but i'm still wondering if brute-force attacks are possible to prevent with ip-adress blocking & not account blocking?

Share this post


Link to post
Share on other sites

You could store the IP address of the person that's trying to log in and block it after a certain amount of failed attempts as well. But because the IP could belong to a legitimate user who forgot their password you should make sure to unblock it after a certain amount of time.

Share this post


Link to post
Share on other sites

Alright, thanks because the latest way would be best choice for me. Because if i would do the other way anyone could just try connecting with my account and neither i or anyone else could try to login to my account.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...