|
|
Posted by antony on 04/09/07 12:54
> it would be tempting to use a cookie with timeout but as the user may
> disable cookies,
infact not good;
> i would simply have a count field in the database again
> st the username's and on each unsuccessful attempt increase the counter.
>
> when they log in successfully, reset the counter. a flag could be in
> there as to whether the account is active, if the count reaches a set
> amount, flip the flag eg. user_active 'Y' or 'N'
>
> any user_active 'N' accounts cannot log in.
>
> add a datetime field also so you can do your checks for timeout expire
> of the blocks etc.
>
> of course, this is all good for username's that exist.
so you control only the attempt of the password insertion?
> if you're wanting to block any wrong logins, then use the REMOTE_ADDRESS
> of the user. but this might block lots of people as they may use a
> proxy so you might say block everyone on AOL indefinately if you're not
> at least doing the 'username' blocking method.
this because the remote_address cannot identifiery a single univoc user?
so you block when, one write exactly the username but after 5 attempt of
insert password no good?
and you block the user? for when time?
this type of protection has a specific name?
Navigation:
[Reply to this message]
|