Yii Framework Forum: lock user after 3 attempts - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

lock user after 3 attempts Rate Topic: -----

#1 User is offline   neel 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 08-October 09

Posted 08 October 2009 - 07:08 AM

Hello,
I am new to use Yii. Can anyone tell me how to lock user after 3 attempts and send an email to admin? Plz help me to sort out this issue.
THanks
Neel
0

#2 User is offline   imehesz 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 706
  • Joined: 13-June 09
  • Location:Jacksonville, FL

Posted 08 October 2009 - 07:58 AM

hello,

Well, that's one thing you're gonna have to figure out.

I'd create a new column in my `users` table called loginAttempt (or whatever) default 0, and every time a user gives me a wrong pass, I'd increase that column. If it reaches 3, the user can't log in.

But you'll need a timer (lock out time) etc. There are lots of ways to do this.

--iM
It’s done, the great act of creation.
The maker rests. The wheel’s in motion.
-- Imre Madách

check out Yii Theme Factory at http://yii.themefactory.net
0

#3 User is offline   manilodisan 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 80
  • Joined: 17-September 09
  • Location:Bucharest

Posted 12 October 2009 - 01:30 AM

View Postimehesz, on 08 October 2009 - 07:58 AM, said:

hello,

Well, that's one thing you're gonna have to figure out.

I'd create a new column in my `users` table called loginAttempt (or whatever) default 0, and every time a user gives me a wrong pass, I'd increase that column. If it reaches 3, the user can't log in.

But you'll need a timer (lock out time) etc. There are lots of ways to do this.

--iM

Lol, queries? What about sessions?
// failed login
$_SESSION [ 'attempt_failed' ]++;

if ( $_SESSION [ 'attempt_failed' ] >= 4 ) {
        // do something smart
}

0

#4 User is offline   sdietz 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 04-July 09

Posted 12 October 2009 - 04:43 AM

@manolodisan: Using the user session may not have the desired effect. If this system is implemented to prevent bruteforce guessing of user passwords, the bruteforce process could just delete the session cookie and start over again.

I'd rather go with imehesz here, and store failed login attempts and maybe the timestamp of an account lock in the DB to persist this information.
0

#5 User is offline   manilodisan 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 80
  • Joined: 17-September 09
  • Location:Bucharest

Posted 16 October 2009 - 12:27 AM

View Postsdietz, on 12 October 2009 - 04:43 AM, said:

@manolodisan: Using the user session may not have the desired effect. If this system is implemented to prevent bruteforce guessing of user passwords, the bruteforce process could just delete the session cookie and start over again.

I'd rather go with imehesz here, and store failed login attempts and maybe the timestamp of an account lock in the DB to persist this information.

Yeah? Do that and I can keep you unable to login all day long. :)
0

#6 User is offline   Backslider 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 363
  • Joined: 23-July 09

Posted 16 October 2009 - 10:38 PM

View Postmanilodisan, on 16 October 2009 - 12:27 AM, said:

Yeah? Do that and I can keep you unable to login all day long. :)


Well, it would make sense to send an email to the real user so they can unset the ban themselves.

Database is definitely the correct method.
We were all once expert at....... nothing.

yii-language-behavior

My Blog
0

#7 User is offline   bettor 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 752
  • Joined: 02-February 09

Posted 19 October 2009 - 02:50 PM

I would also suggest that you lock the user only after 3 consecutive attempts...so if user fails the first attempt you add one to the DB field...if on the second attempt the login is successful you clear the field to 0. Otherwise everyone will soon or later press unintentionally caps and will fail once,twice and his account will be locked eventually. So I think this practise is only near perfect when used after three consecutive failures. What do you think?
0

#8 User is offline   manilodisan 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 80
  • Joined: 17-September 09
  • Location:Bucharest

Posted 20 October 2009 - 05:05 AM

View Postbettor, on 19 October 2009 - 02:50 PM, said:

I would also suggest that you lock the user only after 3 consecutive attempts...so if user fails the first attempt you add one to the DB field...if on the second attempt the login is successful you clear the field to 0. Otherwise everyone will soon or later press unintentionally caps and will fail once,twice and his account will be locked eventually. So I think this practise is only near perfect when used after three consecutive failures. What do you think?

Sure, that's a thing which must be placed on successful login. Updating the row.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users