限制(和记录)登录尝试的最佳方法 [英] Best way to limit (and record) login attempts

问题描述

显然，限制登录尝试的某种机制是安全性所必需的.虽然我喜欢两次尝试之间的时间成指数增长的概念，但是我不确定该如何存储信息.我也对替代解决方案感兴趣，最好不包括验证码.

Obviously some sort of mechanism for limiting login attempts is a security requisite. While I like the concept of an exponentially increasing time between attempts, what I'm not sure of storing the information. I'm also interested in alternative solutions, preferrably not including captchas.

我猜测由于阻止cookie或自动清除cookie，cookie无法正常工作，但是会话是否可以正常工作?还是必须将其存储在数据库中?不知道可以/正在使用什么方法，所以我根本不知道什么是实际的.

I'm guessing a cookie wouldn't work due to blocking cookies or clearing them automatically, but would sessions work? Or does it have to be stored in a database? Being unaware of what methods can/are being used so I simply don't know what's practical.

推荐答案

在用户表"failed_login_attempts"和"failed_login_time"中使用一些列.第一个对于每次失败的登录都会递增，并在成功登录后重置.第二个允许您将当前时间与上次失败时间进行比较.

Use some columns in your users table 'failed_login_attempts' and 'failed_login_time'. The first one increments per failed login, and resets on successful login. The second one allows you to compare the current time with the last failed time.

您的代码可以使用数据库中的此数据来确定等待锁定用户的时间，允许的两次登录之间的时间等

Your code can use this data in the db to determine how long it waits to lock out users, time between allowed logins etc

这篇关于限制(和记录)登录尝试的最佳方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！