3次登录失败10分钟后,PHP锁定用户 [英] PHP lockout user after 3 failed log ins for 10 minutes
问题描述
我的登录系统代码几乎完成了.我的工作是,用户每次尝试3次登录并收到一条消息,说他们还有一定数量的尝试.如果他们已经登录了5分钟,我也会进行编码,以便它们会自动注销.我正在努力根据会话变量将用户锁定10分钟.谁能告诉我在哪里设置会话变量['LoginID']以及它需要处于什么条件,因为目前,我收到一个错误消息,它是未定义的变量.如果有人可以帮助我解决我当前的代码,而不是完全提供其他方法,那将是很好的,因为那样的话,我就能真正理解它.这是我的代码:
I have the code for a log in system almost done. I have it working that a user gets 3 attempts to login and receive a message each time saying that they have a certain number of attempts left. I also have coded for if they have been logged in for 5 minutes they will automatically be logged out. I am struggling on how to lock the user out for 10 minutes based on session variables. Could anyone tell me where to set the session variable ['LoginID'] and what conditions it needs to be in because at the moment, I am getting an error that it is an undefined variable. If someone could help me with my current code instead of providing a different method altogether, that would be great because then, I could actually understand it. Here is my code:
//careMarkBase starts a session, connects to the DB and has the following code for logging out a user after 5 minutes(which works)
$duration = (5 * 60);
if(isset($_SESSION['started'])){
$time = ($duration - (time() - $_SESSION['started']));
if($time <= 0){
session_unset();
session_destroy();
}
}
else{
$_SESSION['started'] = time();
}
这是登录php
<?php include "CareMarkBase.php"; ?>
<?php
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{
echo "<p>Thanks for logging in <b>".$_SESSION['FName']." ".$_SESSION['SName']."</b>.</p>";
echo "<a href='CareMarkLogout.php'><input name='logoutBtn' type='submit' value='Logout'/></a>";
#set failed_login_attempts = 0
$set_failed_login_attempts=mysql_query("UPDATE login SET failed_login_attempts=0 WHERE LoginID=".$_SESSION['LoginID']);
}
elseif(!empty($_POST['username']) && !empty($_POST['password']))
{
$userID = mysql_real_escape_string($_POST['username']);
$password = md5(mysql_real_escape_string($_POST['password']));
$checkloginEmp = mysql_query("SELECT * FROM UserDetails WHERE UserID = '".$userID."' AND Password = '".$password."'") or die(mysql_error());
if(mysql_num_rows($checkloginEmp) == 1)
{
$row = mysql_fetch_array($checkloginEmp);
$_SESSION['Username'] = $userID;
$_SESSION['FName'] = $row['FName'];
$_SESSION['SName'] = $row['SName'];
$_SESSION['LoggedIn'] = 1;
echo "<meta http-equiv='refresh' content='1;CareMarkLogin2.php'/>";
}
else
{
if (isset($_SESSION['LoggedAttempts'])){
$_SESSION['LoggedAttempts']++;
}
else{
$_SESSION['LoggedAttempts'] = 0;
}
$login = mysql_query("SELECT failed_login_attempts, last_failed_login FROM login WHERE LoginID ='".$_SESSION['LoginID']."'")or die(mysql_error());
if(mysql_num_rows($login) == 0){
#create failed_login_attempts = failed_login_attempts + 1 AND last_failed_login = NOW()
$failed_login_attempts=mysql_query("INSERT INTO login VALUES ('','".$_SESSION['LoggedAttempts']."',NOW())");
}
else{
$row = mysql_fetch_array($login);
$_SESSION['LoginID'] = $row['LoginID'];
$update_failed_login_attempts=mysql_query("UPDATE login SET failed_login_attempts='".$_SESSION['LoggedAttempts']."',
last_failed_login = NOW() WHERE LoginID ='".$_SESSION['LoginID']."'") or die(mysql_error());
}
}
$login_attempts_remaining=2 - $_SESSION['LoggedAttempts'];
if ($login_attempts_remaining<=0){
echo 'Locked out!';
//going to add code here after to check if they were locked out for more than 10 minutes then to set failed login attempts back to zero
}
else{
echo "Login Details Incorrect<p></p><p></p>";
echo "<p>Please try again or contact head office on 091 771705</p>
<p>You have ". $login_attempts_remaining ." login attempts remaining. </p>
<p> <form action='CareMarkLogin2.php' method='POST'>
<input type='submit' name='login' id='login' value='Try again'/>
</form>
</p>";
}
}
//}
else{
?>
<div id="mainText" style="width:400px;text-align:center;float:left" class="post">
<form method="post" action="CareMarkLogin2.php" name="loginform" id="loginform">
<fieldset>
<label for="username">Username:</label>
<input type="text" name="username" id="username"/><br/><br/>
<label for="password">Password:</label>
<input type="password" name="password" id="password"/><br/><br/>
<input type="submit" name="login" id="login" value="Login"/>
</fieldset>
</form>
</div>
<?php
}
?>
推荐答案
在验证帐户信息之后,检查是否应将其锁定.
After verifying the account information, check if they should be locked out.
if(mysql_num_rows($checkloginEmp) == 1)
{
// Check if they're locked out
$checkLockout = mysql_query("SELECT * FROM login
WHERE LoginID = $userID
AND failed_login_attempts >= 3
AND last_failed_login > DATE_SUB(NOW(), INTERVAL 10 MINUTE)" or die (mysql_error());
if (mysql_num_rows($checkLockout) > 0) {
echo "Locked out!";
} else {
$row = mysql_fetch_array($checkloginEmp);
$_SESSION['Username'] = $userID;
$_SESSION['FName'] = $row['FName'];
$_SESSION['SName'] = $row['SName'];
$_SESSION['LoggedIn'] = 1;
}
echo "<meta http-equiv='refresh' content='1;CareMarkLogin2.php'/>";
}
或者,您可以在验证密码之前进行检查.
Alternatively, you could check this before validating the password.
这篇关于3次登录失败10分钟后,PHP锁定用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!