[neel]

Hello,
I am new to use Yii. Can anyone tell me how to lock user after 3 attempts and send an email to admin? Plz help me to sort out this issue.
THanks
Neel

[imehesz]

hello,

Well, that's one thing you're gonna have to figure out.

I'd create a new column in my `users` table called loginAttempt (or whatever) default 0, and every time a user gives me a wrong pass, I'd increase that column. If it reaches 3, the user can't log in.

But you'll need a timer (lock out time) etc. There are lots of ways to do this.

--iM

[manilodisan]

imehesz, on 08 October 2009 - 07:58 AM, said:

hello,

Well, that's one thing you're gonna have to figure out.

I'd create a new column in my `users` table called loginAttempt (or whatever) default 0, and every time a user gives me a wrong pass, I'd increase that column. If it reaches 3, the user can't log in.

But you'll need a timer (lock out time) etc. There are lots of ways to do this.

--iM

Lol, queries? What about sessions?

// failed login
$_SESSION [ 'attempt_failed' ]++;

if ( $_SESSION [ 'attempt_failed' ] >= 4 ) {
        // do something smart
}

[sdietz]

@manolodisan: Using the user session may not have the desired effect. If this system is implemented to prevent bruteforce guessing of user passwords, the bruteforce process could just delete the session cookie and start over again.

I'd rather go with imehesz here, and store failed login attempts and maybe the timestamp of an account lock in the DB to persist this information.

[manilodisan]

sdietz, on 12 October 2009 - 04:43 AM, said:

@manolodisan: Using the user session may not have the desired effect. If this system is implemented to prevent bruteforce guessing of user passwords, the bruteforce process could just delete the session cookie and start over again.

I'd rather go with imehesz here, and store failed login attempts and maybe the timestamp of an account lock in the DB to persist this information.

Yeah? Do that and I can keep you unable to login all day long.

[Backslider]

manilodisan, on 16 October 2009 - 12:27 AM, said:

Yeah? Do that and I can keep you unable to login all day long.

Well, it would make sense to send an email to the real user so they can unset the ban themselves.

Database is definitely the correct method.

[bettor]

I would also suggest that you lock the user only after 3 consecutive attempts...so if user fails the first attempt you add one to the DB field...if on the second attempt the login is successful you clear the field to 0. Otherwise everyone will soon or later press unintentionally caps and will fail once,twice and his account will be locked eventually. So I think this practise is only near perfect when used after three consecutive failures. What do you think?

[manilodisan]

bettor, on 19 October 2009 - 02:50 PM, said:

I would also suggest that you lock the user only after 3 consecutive attempts...so if user fails the first attempt you add one to the DB field...if on the second attempt the login is successful you clear the field to 0. Otherwise everyone will soon or later press unintentionally caps and will fail once,twice and his account will be locked eventually. So I think this practise is only near perfect when used after three consecutive failures. What do you think?

Sure, that's a thing which must be placed on successful login. Updating the row.