6
I am working on a login system with php
and mysql
and this doubt arose, because I do not know if only this can be considered something "acceptable" as another security tool in the login process.
Well to say the idea is to limit the number of attempts on n
times within an interval x
time. Example: Maximum of 5 attempts every 10 minutes.
At the moment my login table is simple, owning only email
and senha
.
The idea is to expand to have 2 more columns, one for number of attempts and another for the time when the last attempt was made, thus staying:
email | senha | tentativa | ultima_tentativa
Where at each login I check the 2 criteria
$horario = date("Y-m-d h:i:s");
$tempo1 = new Datetime($ultima_tentativa);
$tempo2 = new Datetime($horario);
$intervalo = date_diff($tempo1, $tempo2);
if($tentativa < 5 && $intervalo->format('%i') < 10) {
//Processa o login....
//Se o login for efetuado com sucesso, o contador é zerado
}
The other alternative (that I did the code structure still) would be similar, but the time for the next attempt would be progressive multiple, ie at each attempt the time interval doubles. Example:
- Attempt 1 in 30 seconds;
- Try 2 in 1 min;
- Attempt 3 in 2 min;
- Attempt 4 in 4 min;
- Try 5 in 8 min;
- and so on
I know it is not the focus of the community, but I would like to take into account the UX side of the login too, I mean, I can not leave the user waiting long in a few attempts (2 or 3), but also can not have a very high interval.
Can the methods presented be considered ideal? Which one would be more appropriate?
Is there any other method I can implement to improve the security of the login process considering this scenario?
Take a look at the function here
checkbrute($user_id, $mysqli)
: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL– StillBuggin
@Eduardoalmeida if I understood correctly, it is a part/different function than the idea I proposed in the question, right?
– celsomtrindade
Actually, no! The function is separated only because of organization. What it does is check the details of login attempts on the login page. It only counts attempts in a given range, everything else is determined by the login function, including the inclusion of failed attempts in the trial log table.
– StillBuggin