Jkensuke wrote:
If I want to count the number of failed login attempts what might be the best course of action?
Off the top of my head I figure I could:
- Have a session variable that counts up to number X
- Have a cookie variable
- Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.
A combination of those might be a good idea. Most hackers are, luckily, amateurs with one-track minds. Create a database table to log failed login attempts. For every failed attempt, log at least the datetime, IP, sessionID, username (which should be unique on your site), reason for failure and failure count.
In a query following a failed login, verify whether the IP, sessionID or username match any in the failed_login table, and, if so, whether the current datetime is within, say, 12 hours of the last failed login. If yes, increment the failure count by 1. If no, insert a new row in the table.
Use client-friendly messages to inform your visitors why their login fails. Study failed logins for common patterns. It just might be that you are the culprit, and that you have to improve your login design. There is one good reason for doing all that. Then you will know that those in your failed_login table really had it in for you.
If your site traffic is high, then consider archiving old data. Throw nothing away!