限制登录失败次数 [英] Limiting the number of failed login attemps

问题描述

我想限制失败的登录尝试.例如，如果某个特定用户尝试使用错误的用户名或密码登录4次，则我应该第4次显示CAPTCHA，而不是在特定时间段内进行阻止，并且除非他提供有效的用户名和密码，否则请继续显示CAPTCHA.用户成功登录后，登录尝试将重置为零.

I want to limit the failed login attempts. For example, if a specific user attempt to login with wrong username or password 4 times, i should show the CAPTCHA 4th time instead of blocking for some specific time, and keep showing CAPTCHA unless he supplies valid username and password. Once the user has successfully logged in, the login attempt is reset to ZERO.

从安全角度来看，是检查用户名而不是IP地址吗?是否可以在不使用数据库的情况下实现这种方法?因为我认为不需要显示时间，因为我只会显示Recaptcha吗? 请发表您的意见.

Is the idea of checking the username instead of IP address OK in security point of view? Can this approach be implemented without using database?, as I think I don't need to store time because i will just show recaptcha? Please give your opinion.

推荐答案

您不想将数据库用于登录失败次数"-检查吗?然后，使用Cookie进行检查.当然，他们可以删除它，但这很麻烦.

You don't want to use the database for the 'number of failed logins'-check? Then just use a cookie and check it. Sure, they can remove it, but it's a hassle.

但是，我怀疑您已经从数据库中获取了用户名和密码，为什么不同时访问数据库也能获取失败登录的最新次数?

However, I suspect that you already are getting the username and password from the database, why not also fetch the last number of failed logins while you are at it?

if (isset($_POST['submit_login'])) {

    if (isset($_POST['username']) && isset($_POST['password'])) {
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['password']);
        // id = unique primary key
        $rs = mysql_query('SELECT id,Username,Password,Failed_logins,IP_address FROM Users WHERE Username = '.$username.'');
        $num = mysql_num_rows($rs);
        if ($num > 0) {
            // I would add a password hash here to $password, and check against the hashed Password from the database
            // But let's check the clean passwords
            $row = mysql_fetch_array($rs);
            if ($password == $row['Password']) {
                // Successful login, set session or whatever you need
                // Reset failed logins
                mysql_query('UPDATE Users SET Failed_logins = 0 WHERE id = '.$row['id'].'');
                header('location: success.php');
            } else {
                // Failed password check
                if ($row['Failed_logins'] > 3) {
                    // Redirect to captcha
                    header('location: captcha.php');
                } else {
                    $ip = $_SERVER['REMOTE_ADDR'];
                    if ($row['IP_address'] != $ip) {
                        // New ip adress, reset failed logins
                        $failed_logins = 0;
                    } else {
                        // Increment failed logins
                        $failed_logins = $row['Failed_logins']+1;
                    }
                    mysql_query('UPDATE Users SET Failed_logins = '.$failed_logins.',IP_address = '.$ip.' WHERE id = '.$row['id'].' ');
                } // End check Failed_logins > 3
            }
        } else {
            // No such Username found in database
            $error = 'no_such_username';
        } // End username check from database

    } else {
        // Either username or password is missing
        $error = 'incomplete_form';
    } // end check for username and password

} // end main submit_login check

类似的东西.

这确实是旧代码，现在我看到了一些问题.但是，至少您应该始终使用PDO(准备好的语句)在数据库中插入数据.

This is really old code and I see some problems with it now. But, at least you should always use PDO (prepared statements) for inserting data in your database.

这篇关于限制登录失败次数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！