Hello all!

I wanted to ask everyone what they thought about the sleep function in php. I do believe I'm going to use it for my website, but I'm really unsure how to implement it in. I wanted to use it on the login page. I googled this until I'm blue in the face and can't get anywhere. Does anyone know of a good site that shows lots of examples? Or can someone show me where to put it in a login code?

Thanks bunches! ~Amy

I've never used the sleep function. I think its usefulness is limited to very few things. Can you be more specific about what you are going to use it for?

Like I said, I want to use it for the LogIn page, so if hackers want to try to use 50 billion passwords to find the right username, or vice versa, it may take them longer than they want to wait.

Since you don't use the sleep function, I'm curious to know what you use for security. I've heard both good and bad things about the sleep function. I don't think it will hurt to use it and any additional security to try to prevent the wrong ones from entering.

~Amy

I limit the number of failed attempts for that user, then lock the account, then unlock it after an hour once the activity stops or at password reset, which ever comes first.

Hmmm...that sounds like a good idea. But what about if a hacker has a password and then does nothing but try to figure out what the username is. How do you prevent those attacks?

~Amy

WOW, you are thorough. Guess I never really considered that. I'm still not convinced that it is the best way to handle it since it would effect the other legitimate users as well though. But if you want to, I think it should be right before the database connection.

Once again, hackers might keep trying the passwords, but you might want to try an approach of blocking ip's. 5 attempts at an ip with an incorrect password, record the ip in a table, and pull back from the table when user's are accessing the login page. If they match an ip in the table, disable the ability to log in or along those lines. Yes they can spoof the ip's, but it is a viable solution.

Here's a link of how to get the ip address
http://www.plus2net.com/php_tutorial/php_ip.php

Then just set up table along the lines of

BLOCKED_IP
FAILED_LOGIN_ATTEMPTS
LAST_FAILED_TIME

When the user accesses the page, check the ip against blocked_ip, if it matches then check LAST_FAILED_TIME and FAILED_LOGIN_ATTEMPTS, if it is greater than 30 min and whatever value for FAILED_LOGIN_ATTEMPTS you choose, then display the login page, otherwise dispaly the access denied page and increment the FAILED_LOGIN_ATTEMPTS. If you allow access, delete the row for that ip. If the user types in a bad password insert or increment the FAILED_LOGIN_ATTEMPTS.

You might want to go about it a little different of a way, but there is a good start.

Thanks

One more thing, just in case they are behind a proxy, this might be better for getting the ip.

http://roshanbh.com.np/2007/12/getting-real-ip-address-in-php.html

I'm trying to locate my php.ini file so I can see if the register_global are off. If it is on, is it enough to just use the $ip=@$REMOTE_ADDR; or am I still going to have to use the code if they are behind a proxy?

I'm trying to get a feel for how all of this works :) ~Amy

Here is a related thread: http://www.daniweb.com/forums/thread82966.html

The problem will be that if your users are behind the proxy, you will be blocking all of them from the same ip address without using the additional code.
If they aren't behind the proxy REMOTE_ADDR will work, otherwise you will be blocking the whole proxy for a client address inside of that proxy.

Yes, do the other checks first like the link showed and if they ARE EMPTY, then rely upon the REMOTE_ADDR.

It's good to be thorough ... I was thinking "Why just test failed passwords", why not limit failed login attempts in general.

Also, any respectable hacker will use an automated script to do a brute force attack (like what you're worried about), and maybe an onion router to hide their IP address.

Cookie values aren't safe either ... hmmn?

What do you folks think...would this be a good method to protect from multiple login attempts?

The only thing I see possibly wrong with it, is if multiple users have the same username or the same password as other users. Plus this requires NOT using the forward-slash '/' or back-slash '\' characters in the username and password.

<?php

// CONFIGURATION VALUES -- register_globals must be OFF 
$max_attempts = 5;   // no more than this many login attempts
$time_seconds = 300; // within this time-frame, in seconds
$temp_path = 'temp'; // no trailing forward-slash '/'

login_attempt();

function login_attempt () {
  global $max_attempts, $time_seconds, $temp_path;
  if ( $_REQUEST['username'] && $_REQUEST['password'] ) {
    $username = trim( $_REQUEST['username'] );
    $password = trim( $_REQUEST['password'] );
    // forbidden username or password characters: / \
    $user = preg_replace( '#/#', '', stripslashes( $username ) );
    $pass = preg_replace( '#/#', '', stripslashes( $password ) );
    $tpath = make_directory( $temp_path );
    $user_temp = $tpath."UN_$user.tmp";
    $pass_temp = $tpath."PW_$pass.tmp";
    $allow_user = test_attempts( $user_temp, $max_attempts, $time_seconds );
    $allow_pass = test_attempts( $pass_temp, $max_attempts, $time_seconds );
    if ( $allow_user && $allow_pass ) {
      print 'PROCEED';
      // We're okay to process the username and password for login ...
      // get database username and password, and compare Md5( $pass )
    } else {
      // do something more elegant here
      die( "Too many login attempts under user name or passwordPlease wait a bit" );
    }
  } else {
    // do something more elegant here
    die( "Please enter your user name and password" );
  }
  handle_garbage( $tpath, $time_seconds, 'tmp' );
}

function test_attempts ( $file, $max, $life ) {
  $allow = FALSE;
  $record = array();
  if ( is_file( $file ) ) {
    $count = 0;
    $now = time();
    $attempts = file( $file );
    foreach ( $attempts as $attempt ) {
      $time = trim( $attempt );
      if ( $now - $time < $life ) {
        $record[] = $time;
        $count ++;
      }
    }
    if ( $count < $max ) {
      $record[] = $now;
      $allow = TRUE;
    }
    file_put_contents( $file, implode( "\n", $record ) );
  } else {
    file_put_contents( $file, time() );
    $allow = TRUE; 
  }
  return $allow;
}

function make_directory ( $path ) {
  $exists = FALSE;
  if ( !$exists = is_dir( $path ) ) {
    $exists = mkdir( $path, 0777, TRUE );
  }
  return ( $exists ) ? rtrim($path,'/').'/' : '.';
}
  
function handle_garbage ( $path, $life, $ext ) {
  //$life => minimum lifetime for temp files in seconds 
  if ( $dir = opendir( $path ) ) {
    while ( ( $file = readdir( $dir ) ) !== FALSE ) {
      $file = $path.$file;
      if ( is_file( $file ) && strpos( $file, ".$ext" ) > 0 ) {
        if ( time() > ( filemtime( $file ) + $life ) ) {
          @unlink( $file );
        }
      }
    }
    closedir( $dir );
  }
}
?>

Cheers

It is a constant battle to keep up with security and hackers or what not.

The only thing you can do is try and stay ahead of the game.
Make users have secure passwords, if user's are complaining, make them do a captcha with email address or something along those lines. Make sure your database is secure, as far as accessibility from external ips and users. Make sure you don't directly take user input and try to issue a database command with it. Althought it may take a little more time to implement and code these strategies, it will deter many hacking attempts to begin with.