hi all,

i am new to php. i am developing a login where i compare encrepted password and set session to the user and login to the system.

but I need mote to do with this.
I need to know how to lock IP if a user try more than 2 3 timies to login to the system..
I am using php and don't know what are the areas that i have to stdy to do this..

can any body give me a hint ...

example code is highly appreciated

thanks in advance,
menukaddevinda

Hi,

perfect hint: http://www.php.net/manual/en/reserved.variables.server.php. It's the manual for all information concerning your visitor. Look at "REMOTE_ADDR" for the IP-address.

To lock an account you simply count how often the user tried to log in in with a wrong ID. Simply place a file into a temporary folder named with the IP-address and save the time and date of the login (or even better unix-time: time()). If the time gap is lower than say 15 minutes you simply put a flag "locked" to your database or whatever system you're using for your accounts.

Blocking I.P is fairly useless if you use a proxy, for example I use one, and have a button which says 'Cycle I.P', upon clicking it I have a new I.P address, and therefore could carry on attempting to login.

i am bringing another probelem when i an exploring this, do u have any option to handle this???

thx in advance.

the best alternative is, to lock an account independently from the IP address. That's how it's done in the real world. That might be stupid for the end-user as she/he can't login after an attack, but provides the highest security.

There are two possibilities:
1) Resetting the password and sending a link to unlock the account via email.
2) Blocking any login-attempt for a defined period of time (15 mins or so).

What's best for you depends on your taste.

Regards, Simon