OK first things first...

Cleanse ALL DATA before being submitted.

You can do this with functions to make sure the usernames are X amount of characaters and numeric or non numeric.

Next. What database is this?

No matter which what you want to do is this:

Create a temp table.

When a session is created meanign a vistor attmepts to login.. grap the IP of the system connecting.. and take timestamp and insert into session table.

Now on each refresh of the page or opening of the page you want to do a select * from sessions where ip="thatip";

If non exists then insert.

if it exists then you want to subtract now() from the timestamp.

if the user has exceeded 15 minutes then create a new record and force new login.

This will also prrotect inactive users inside the memember area.

Next... As far as blocking brute force attacks.. first we need to establish how this system is setup..

should ANYONE from the internet even be allowed to connecT?
if not then simple firewall will do...

If so.. then pop 3 entries into the table... on 4th entry where ip same.. deny access .

Just to a redirect to some access denied page.

I am not sure of your coding skills but these are simple GET and POST methods combined with the proper if statements.

I hope my advice has helped.

That helps, I might need help with the SQL server if exists and temporary tables, but one thing i don't quite understand still is how to temporarily block someone. I don't want to permenatly deny access, just deny it for an hour or two, how do you do that? o and after each failed attempt i want them to have to wait 15 seconds before they can try again, and then 30 and then 45 and so on.

You dont want to block the IP address.

Because in an institution,More like an university or work office,there will be only one single ip address passing out.

Internally there will be many IP address but when your application scans for IP ADDRESS,You'll get the main IP ADDRESS of the network and if you block that IP address then the whole network cannot use your application.

In order to make the application wait for a particular time interval,
You can put the thread to sleep.

Write some IF..THEN..ELSE statements and then put in this code based on various login trials.

Thread.Sleep(10000)

The above code puts the thread to wait for 10 seconds without proceeding.

But this runs at the server.

People say its an ineffective way of coding but who cares, If you are happy and theusers are happy ,go ahead.

Hope it helps

Easy solution for the temp block is on connect do a reverse lookup on the host.

Like the object her eis everytime someon connects your are either..

Destroying Session, Creating a New one, or Denying access

So just match a timestamp up + your interval < whatever

I personally think they only way to block this is to do it by ip but if people feel this is not the way to go then you can do it by userid.

But again this does not stop the attack. Tehy can keep changined ids.

Did you use in the first line

Imports System.Threading

hi
i want to implement the same thing block user after 15 minutes can u please post the code that u implemented it wil help alot please