PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

PHP Tips & Tricks - A Picture Upload, Part 1
Using XML: A PHP Developer's Primer, Part 2
Preventing SQL Injection, Part 3
Cached Dynamic Modules
phpwiki - The Wiki for PHP Developers

Re: [phplib] Disallowing infinite incorrect passwords From: Arno A. Karner (karner <email protected>)
Date: 05/01/00

Next message: Mark Buchanan: "[phplib] Cookie Mode in IE"
Previous message: Stanislav Malyshev: "Re: [phplib] PHP code in PHPLib templates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

this is pretty trival realy ive done it already add column to auth user
flc for failed login count. change the querry in auth user to check for
user name only first, then compare passwords. if dont match u have all the
info to do begin, select, increment, update, comit.

on sucsessfull login and flc > 0 begin, select, decrement, update, comit

my next hacks would be to failed username count on per ip address, with
some kind of disable function there. with maybe even an external program
to change fire wall rules, saving cpu time of web based dos attack.

other problems to solve for web apps,
1) multiple logins?
add user id to session table, select for user id count b 4 accepting new
login

2) multiple sessions reasons to use get for session instede of cookie
   when browser clones current window does not use same cookie, session
   so you can have multiple browsers, logged in and running web apps at
   same time i this is a bug/feature depending on what you want to do.

My opinions are my own and not that of my employer even if I am self employed

On Thu, 27 Apr 2000, Max A. Derkachev wrote:

> Hello Mark,
>
> Thursday, April 27, 2000, 7:46:08 AM, you wrote:
>
> MRC> If I understand the way PHPLib is currently written, a user can try
> MRC> infinite times to guess a password. Has anyone written any code to
> MRC> prevent this?
> MRC> Has anyone written any code that will disable an account after X
> MRC> incorrect login attempts?
> MRC> Or how about code that will make you wait X hours to attempt to login
> MRC> again if you try Y incorrect logins with Z period of time?
>
> Well, I guess this could be done, but the conditions would be very
> restrictive. How do You intend to catch a user (I mean a real world user
> - a human - not a login) who's trying to crack someone's password? The
> only thing possible is setting up a cookie for that purposes, which
> will contain the number of tries, and the expiration time. But if the
> user doesn't allow cookies, it won't work. It also won't work if he deletes
> the cookies from his hard disk. Without a cookie You can't identify
> the user for sure. Don't rely on IPs.
>
> --
> Best regards,
> Max A. Derkachev
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Next message: Mark Buchanan: "[phplib] Cookie Mode in IE"
Previous message: Stanislav Malyshev: "Re: [phplib] PHP code in PHPLib templates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]