I have my login page and it works, but theres no security to it. I haven't been able to find much out there except for a few articles where they just talk about how to secure your login page. Theres a couple things i would like to do, but i am new to .net and don't know how. 1st, After each failed attempt add 15 seconds of pause time before the page executes again, so after the second failed attempt the page waits 30 seconds. Then i want to keep track of how many time each unknown user tries to login and then after 3 failed attempts temporarily ban the user. Then id also like to try to secure the data when its submitted.

OK first things first...

Cleanse ALL DATA before being submitted.

You can do this with functions to make sure the usernames are X amount of characaters and numeric or non numeric.

Next. What database is this?

No matter which what you want to do is this:

Create a temp table.

When a session is created meanign a vistor attmepts to login.. grap the IP of the system connecting.. and take timestamp and insert into session table.

Now on each refresh of the page or opening of the page you want to do a select * from sessions where ip="thatip";

If non exists then insert.

if it exists then you want to subtract now() from the timestamp.

if the user has exceeded 15 minutes then create a new record and force new login.

This will also prrotect inactive users inside the memember area.

Next... As far as blocking brute force attacks.. first we need to establish how this system is setup..

should ANYONE from the internet even be allowed to connecT?
if not then simple firewall will do...

If so.. then pop 3 entries into the table... on 4th entry where ip same.. deny access .

Just to a redirect to some access denied page.

I am not sure of your coding skills but these are simple GET and POST methods combined with the proper if statements.

I hope my advice has helped.

OK first things first...

Cleanse ALL DATA before being submitted.

You can do this with functions to make sure the usernames are X amount of characaters and numeric or non numeric.

Next. What database is this?

No matter which what you want to do is this:

Create a temp table.

When a session is created meanign a vistor attmepts to login.. grap the IP of the system connecting.. and take timestamp and insert into session table.

Now on each refresh of the page or opening of the page you want to do a select * from sessions where ip="thatip";

If non exists then insert.

if it exists then you want to subtract now() from the timestamp.

if the user has exceeded 15 minutes then create a new record and force new login.

This will also prrotect inactive users inside the memember area.

Next... As far as blocking brute force attacks.. first we need to establish how this system is setup..

should ANYONE from the internet even be allowed to connecT?
if not then simple firewall will do...

If so.. then pop 3 entries into the table... on 4th entry where ip same.. deny access .

Just to a redirect to some access denied page.

I am not sure of your coding skills but these are simple GET and POST methods combined with the proper if statements.

I hope my advice has helped.

That helps, I might need help with the SQL server if exists and temporary tables, but one thing i don't quite understand still is how to temporarily block someone. I don't want to permenatly deny access, just deny it for an hour or two, how do you do that? o and after each failed attempt i want them to have to wait 15 seconds before they can try again, and then 30 and then 45 and so on.

That helps, I might need help with the SQL server if exists and temporary tables, but one thing i don't quite understand still is how to temporarily block someone. I don't want to permenatly deny access, just deny it for an hour or two, how do you do that? o and after each failed attempt i want them to have to wait 15 seconds before they can try again, and then 30 and then 45 and so on.

You dont want to block the IP address.

Because in an institution,More like an university or work office,there will be only one single ip address passing out.

Internally there will be many IP address but when your application scans for IP ADDRESS,You'll get the main IP ADDRESS of the network and if you block that IP address then the whole network cannot use your application.

In order to make the application wait for a particular time interval,
You can put the thread to sleep.

Write some IF..THEN..ELSE statements and then put in this code based on various login trials.

Thread.Sleep(10000)

The above code puts the thread to wait for 10 seconds without proceeding.

But this runs at the server.

People say its an ineffective way of coding but who cares, If you are happy and the users are happy ,go ahead.

Hope it helps

Easy solution for the temp block is on connect do a reverse lookup on the host.

Like the object her eis everytime someon connects your are either..

Destroying Session, Creating a New one, or Denying access

So just match a timestamp up + your interval < whatever

I personally think they only way to block this is to do it by ip but if people feel this is not the way to go then you can do it by userid.

But again this does not stop the attack. Tehy can keep changined ids.

Well, i only want a temporary ban, unless i notice a single IP address that is constantly showing up with failed login attempts, then i will manually ban that address. But if someone hacks the companies that my users work for, its acceptable if i block them all for 2 hours.

Now, with thread.sleep() I get an error message saying that thread is not declared. Why and what should it be declared as?

hi
i want to implement the same thing block user after 15 minutes can u please post the code that u implemented it wil help alot please

Edited 6 Years Ago by mayuri_desh: n/a

This article has been dead for over six months. Start a new discussion instead.