How to count the number of password attempts?

O

Outsider V.2015-02-16 17:40:59

PHP

Outsider V., 2015-02-16 17:40:59

There is a common task of limiting attempts to enter a password for a particular individual (self-written engine in PHP / MySQL): no more than three in half an hour.
Question: where to store the counter of attempts?
The forums offer a session everywhere, but deleting session cookies and starting a new session for the bot is as easy as shelling pears, right? How to be in such a case? Identify IP? But, again, then you need to store the counter somewhere - where?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Kubintsev, 2015-02-16
@Audiophile

Well, yes, first you need to identify the client somehow. IP of course + session id or user-agent. You will not be able to fully guarantee unambiguous identification.
Then you make a table like id-connection (you can have several columns for sampling), last_access_time, count. Check with it when authenticating. Write at the same time and a cron service for cleaning up obsolete entries.

A

Armenian Radio, 2015-02-16
@gbg

I recommend using fail2ban. The idea of integration can be gleaned, for example, here .