 |  |  |  |  |  |  |  |
Lock User Accounts
Please support our ColdFusion advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
Thread Solved |
Hi all,
All right, here's what I am trying to achieve but have no idea how to do it:
My site requires users to login and every page is password protected. As part of preventing hacking (to a small extent, though) I am trying to TEMPORARILY disable the user's account after they have made 5 consecutive invalid login attempts. After 10 consecutive attempts, their account is PERMANENTLY disabled and the only way to reactivate the account is by emailing me (or the admin).
I have been able to get the temporary disabling part done, but have no clue how the account can be permanently locked. Could someone help me figure this out?
Thanks!
All right, here's what I am trying to achieve but have no idea how to do it:
My site requires users to login and every page is password protected. As part of preventing hacking (to a small extent, though) I am trying to TEMPORARILY disable the user's account after they have made 5 consecutive invalid login attempts. After 10 consecutive attempts, their account is PERMANENTLY disabled and the only way to reactivate the account is by emailing me (or the admin).
I have been able to get the temporary disabling part done, but have no clue how the account can be permanently locked. Could someone help me figure this out?
Thanks!
You would have to test it out, but it seems like you need to track 3 things:
1) the number of consecutive bad logins
2) the date and time of the last bad login
3) a boolean flag indicating whether the user is permanently locked out
When a user attempts to log in, you could retrieve those three fields for supplied user name:
1. If the user does not exist, display an error and abort.
2. Next, check if they are permanently logged out. If yes, display an error and abort
3. Check the current time against the date of temporary lockout. If the date is not null and within 20 minutes, display an error and abort.
If they pass those checks, verify their login information:
1. if the passwrd is valid, reset the bad login information
a) reset bad login count = 0
b) reset last bad login date = NULL
2. Otherwise, update the bad login information
a) increment the bad login count
b) if new login count is = 4, display a message that the next attempt will lock them out for for 20 minutes. Suggest they use your application's "Forgot your password" option.
c) if new login count is = 5, update the temporary lockout date and time.
Display a message that they are locked out for 20 minutes.
c) if the login count >= 10, set the permanent lockout flag to true
HTH
1) the number of consecutive bad logins
2) the date and time of the last bad login
3) a boolean flag indicating whether the user is permanently locked out
When a user attempts to log in, you could retrieve those three fields for supplied user name:
1. If the user does not exist, display an error and abort.
2. Next, check if they are permanently logged out. If yes, display an error and abort
3. Check the current time against the date of temporary lockout. If the date is not null and within 20 minutes, display an error and abort.
If they pass those checks, verify their login information:
1. if the passwrd is valid, reset the bad login information
a) reset bad login count = 0
b) reset last bad login date = NULL
2. Otherwise, update the bad login information
a) increment the bad login count
b) if new login count is = 4, display a message that the next attempt will lock them out for for 20 minutes. Suggest they use your application's "Forgot your password" option.
c) if new login count is = 5, update the temporary lockout date and time.
Display a message that they are locked out for 20 minutes.
c) if the login count >= 10, set the permanent lockout flag to true
HTH
•
•
Join Date: Jan 2009
Posts: 1,316
Reputation: 
Solved Threads: 161
without coding the sql this is a thought process only
create a table in the database temp_bans.
with colums for username logintimestamp failurecount banned
on login {
if temp_bans.username AND banned AND timestamp+20minutes > timenow die( you are banned until ($timestamp+20minutes))
if login fail {
if not temp_bans.username { create temp_bans.username }
update temp_bans.username increment falurecount timestamp
if failurecount=5 {update temp_bans.username (banned=yes failurecount=0)}
}
if login succeeds {delete temp_bans.username}
}
with a little thought this is only a single sql query, not up to thought at the moment
create a table in the database temp_bans.
with colums for username logintimestamp failurecount banned
on login {
if temp_bans.username AND banned AND timestamp+20minutes > timenow die( you are banned until ($timestamp+20minutes))
if login fail {
if not temp_bans.username { create temp_bans.username }
update temp_bans.username increment falurecount timestamp
if failurecount=5 {update temp_bans.username (banned=yes failurecount=0)}
}
if login succeeds {delete temp_bans.username}
}
with a little thought this is only a single sql query, not up to thought at the moment
Last edited by almostbob; Feb 13th, 2009 at 2:03 pm.
Failure is not an option It's included free
If at first you dont succeed, join the club
Of course its always in the last place you look, you dont keep looking after you find it
Please mark solved problems, solved
If at first you dont succeed, join the club
Of course its always in the last place you look, you dont keep looking after you find it
Please mark solved problems, solved
I just got back to this site and implementing the login feature again. There is something I am not doing correct. After 5 unsuccessful login attempts, a trigger in the DB flips the AccountStatus bit from 1 (Active Account) to 0 (Suspended Acct). However, the next time when I try to login using the correct password, I keep getting redirected to the FailedLogin.cfm script.
Below is the code. When I get rid of the <cfswitch><cfcase> lines, it seems to work fine. Anyone able to figure out what's wrong?
Below is the code. When I get rid of the <cfswitch><cfcase> lines, it seems to work fine. Anyone able to figure out what's wrong?
Coldfusion Syntax (Toggle Plain Text)
•
•
•
•
Originally Posted by cheapterp 
I keep getting redirected to the FailedLogin.cfm script.
<cfif IsDefined(HTMLEditFormat("FORM.j_username"))> <cfif MM_rsUser.RecordCount NEQ 0> ..... <cfelse> ..... </cfif> <cflocation url="#MM_redirectLoginFailed#" addtoken="no"> <cfelse> .... </cfif>
Well ...look at your code. That is exactly what you're telling CF to do ... always redirect to login failed.
Did you actually test this code? Because it doesn't look right ...
Last edited by arrgh; Sep 16th, 2009 at 4:59 pm.
 |
Similar Threads
- Configuring Account Policies in Microsoft Windows XP (Windows tips 'n' tweaks)
- Popups and problem loading desktop (Viruses, Spyware and other Nasties)
- Hidden program installs .dlls with randomly generated names in random "notify" reg. (Viruses, Spyware and other Nasties)
- How to Quickly Lock Your Computer and Use Other Windows Logo Shortcut Keys (Windows tips 'n' tweaks)
- need help removing callinghomebiz (Viruses, Spyware and other Nasties)
- Badly infected system, please help! (Viruses, Spyware and other Nasties)
- help with hjt and vx2/urllogic (Viruses, Spyware and other Nasties)
- help with hjt and vx2/urllogic (split from http://www.daniweb.com/techtalkforums/showthread.php?t=18540&page=1&pp=15) (Viruses, Spyware and other Nasties)
- trojans wont let me connect to internet (Viruses, Spyware and other Nasties)
- 213.159.117.130 trojan.. help!! (Viruses, Spyware and other Nasties)
Other Threads in the ColdFusion Forum
- Previous Thread: Radio button problem and cfloop
- Next Thread: Coldfusion Report Problem
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest ColdFusion Posts
- Today's Posts
- Unanswered Threads
