在vb.net代码中进行3次无效登录尝试后如何限制用户30分钟 [英] how to restrict user for 30 minutes after 3 invalid login attempts in vb.net code

问题描述

在vb.net代码中进行3次无效登录尝试后，如何限制用户30分钟

how to restrict user for 30 minutes, after 3 invalid login attempts in vb.net code

推荐答案

有几种方法可以执行此操作.

1)添加一个DateTime为"banned"的会话变量，并检查它是否比30分钟前更重要
优点:极易实现.不会影响任何其他用户.
缺点:非常容易绕过(关闭并重新打开浏览器)

2)添加一个cookie，该cookie会在30分钟后失效
优点:易于实施.不会影响任何其他用户.
缺点:容易绕过. (只需删除Cookie)

3)在数据库中创建一个表，其中保留IP地址和DateTime的时间被禁止"
优点:难以绕过
缺点:还有更多工作要做.可能会影响具有相同IP的其他用户. (您可以通过存储有关用户的更多信息(例如用户代理字符串)来解决此问题，但这不是防弹的方法)

4)在数据库中存储UserId以及登录尝试失败的时间
优点:无法绕过
缺点:可以锁定未尝试登录的用户.例如，如果我尝试使用他人的用户名登录.一些工作要实现.

Alt 4是最好的解决方案！

There is a few ways to do this.

1) Add a session variable with DateTime "banned" and check it to see if it''s more then 30 min ago
Pros: Extremely easy to implement. Will not affect any other users.
Cons: Extremely easy to bypass (close and reopen browser)

2) Add a cookie which expires after 30 minutes
Pros: Easy to implement. Will not affect any other users.
Cons: Easy to bypass. (just delete the cookie)

3) Create a table in your database keeping IP-address and DateTime for time "banned"
Pros: Difficult to bypass
Cons: A little bit more work to implement. Will potentially affect other users with same IP. (you can solve this by storing more info about user like user agent string, but it''s not bullet proof)

4) Store UserId and when the login attempt failed in the database
Pros: Impossible to bypass
Cons: Can lock out a user which didn''t try to log in. Ex if I try to log in with someone else''s username. Some work to implement.

Alt 4 is the best solution here!

您可能需要一个存储位置，可能是SQL，用于存储用户名和登录失败的时间:

You need a storage location possibly SQL where you store the username and occurred time of a failed log in:

Username VARCHAR(255),
Occurred DATETIME

以下SQL将给您失败的登录计数.

The the following SQL will give you the failed login count.

SELECT [Count] = COUNT(*) FROM dbo.FailedAttempts WHERE Username=@Username AND Occurred > DATEADD(MINUTE, -30, GETDATE())

然后，您需要将其构建到登录过程中，以便在用户登录失败时将其插入失败的尝试表中.如果密码有效，则检查当前失败尝试次数，并在密码尝试次数过高时拒绝尝试.

You then need to build this into you login process so that if the user login fails you insert into the failed attempts table. If the password is valid you check the current failed attempts count and reject their attempt where it''s too high.

这篇关于在vb.net代码中进行3次无效登录尝试后如何限制用户30分钟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！