If I want to count the number of failed login attempts what might be the best course of action?
Off the top of my head I figure I could:
- Have a session variable that counts up to number X
- Have a cookie variable
- Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.
It seems to me though that each of these can be gotten around. Session can be ended by opening a new browser window, cookies can be dumped and while I don't know how I know users can spoof IP addresses.
So I guess this there another way to do it that is more secure? Granted none of my sites have that much traffic but I want to show that I am taking security seriously.
Also I guess I should ask do people even care about this anymore? Is lockout after X number of bad attempts just an older security standard that is more inconvinient then it is useful nowadays?
Thoughts and opinions are welcome by any.