0
I would like to know how you make a secure login system.
Because it is difficult to get information from the user who will try to log in:
Ex:
echo getenv("username").'<br>';
echo getenv("REMOTE_ADDR").'<br>';
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
echo $hostname.'<br>';
echo $_SERVER['HTTP_USER_AGENT'];
How would I make a system that blocks up so many login attempts.
I don’t talk about the code issue, because usually when I do, I save the Ips in the database, and count the failed login attempts in the last 30 minutes, if greater than 5, I redirect the page...
This is easy, the problem, if the person is on a network. Hence it will block the access of all with the same IP.
I could differentiate using the name of the PC and the user, but this function does not work on my linux server...
The User agent, however, is also not at all reliable, as the person can easily change.
Already this name of the Host(gethostbyaddr), I found interesting, can be an additional for a Login system.
Session, if the guy closes his browser, or deletes Session, it’s gone.
Cookie the same thing...
Captcha, it may be an extra, but it doesn’t guarantee anything...
1 - Are there other functions that take more user data? 2 - What is the best way to create a secure login system, avoiding that the person tries to log in several times generating error. 3 - What the main websites use to block malicious users, who try to log in several times in a row?
If along with the IP you save the username of who tried to log in, does not solve the problem of multiple users on the same network? Then you can have a separate check, with a higher limit of attempts, which only considers the IP.
– bfavaretto
Interesting the way you put it, it would be extra...
– abcd
Interesting to think that way, how many attempts would you leave like that? and for how long? What if they try to sign in with more than one different user? What would you do? Imagine every 10 wrong attempts in 30 minutes I block myself, but the guy tries other different users, so it wouldn’t block... What to do in a situation like this?
– abcd
You can create a more complex solution, such as storing a user ID in
localStoragesince this is more persistent thanCookies. But it is still easily foolproof. Overall saving a user-associated IP in a lock table should be more than enough. If the user tries to use another’s login you may think about blocking the IP altogether as a security measure. In general if the user really wants to keep trying different logins he will get even if it is switching IP’s.– Pedro Henrique
I was going through Hotmail. I tried 20 times with a 4 different e-mail, some didn’t even exist. Where I see a flaw of Hotmail, because they return that the email does not exist. It is easy to find out if a user exists. If the user exists, I think it gives about 10 login attempts. It blocks, but just remove the post method that works normally. Obviously I tried a few times in my 30s.
– abcd
After other attempts he added a captcha, but as I said earlier, it removes the Post method that you type again user and password... another thing I noticed, that after typing wrong password several times it blocks at first try a correct email...
– abcd