Block requests after multiple unsuccessful logins
You can't use session, as it requires the client to store a cookie for you, and an attacker is not going to help you out. You will need some global state.
You needn't bother tracking IP addresses, as a bad guy will just use an Anonymyzing Proxy.
Don't use account lock-out unless you have to (PCI requirement), as this just lets the attacker DoS your users.
You also want to avoid DoS-ing yourself by making your server do too much work.
This works:
Upon unsuccessful authentication, store username in global state, along with count. Synchronized count++
if more unsuccessful authentications with that username. I use redis for this.
If count >= threshold
, then demand solved CAPTCHA value before proceeding. Show CAPTCHA on login screen.
Upon successful authentication, clear stored username in global state. Give user "trusted user agent" HMAC'd cookie, so they don't have to CAPTCHA in the future for that username on that UA.
You can do the same for passwords, but probably with a higher threshold.
If you don't like CAPTCHA then demand Proof of Work, for example by making the client calculate and submit the prime factors of a very large number.
While you're at it, make sure you are using bcrypt to hash your passwords, and that the cost factor is high enough that it takes >= 250ms to hash a password. This slows down your server but also slows down an attacker. Avoid hashing unless they pass the CAPTCHA (if required).
Encourage users to use long, complicated, memorable? passwords, so that they're harder to brute-force.
Block User IP after 5 unsuccessful login attempts?
You should log failed attempts to a table, when the number of rows in that table exceeds the failed number of login attempts you should display an error message to say the user is locked out.
When the user has regenerated their password, remove the records from the table.
Sorry, just saw your other request for the IP address. In a web application you can use the following property from the HttpContext:
HttpContext.Current.Request.UserHostAddress
how to block user after 3 login attempts?
Add the following two columns to your row:
- last_attempt as a datetime
- attempt_count as an int
In your login logic, check these two values, if it's 3 or more and within the time frame (ex: 10mins), then update last_attempt and increment attempt_count, this second part is not necessary but you might want to know this. If it's been more than 10mins, then set attempt_count back to 0 if they pass or 1 if they fail and update last_attempt again.
As a bonus, you now also know the last time the user logged in, which is useful when you want to find unused accounts.
Block login if too many login attempts
I don't know what you mean with "block login" or "end code" but here is one way to signal to calling code if the correct password was locked, or if it should be locked:
import time
usernames = ("test", "test01", "test02")
passwords = ("test", "test01", "test02")
def username():
print("Username: ")
username = input("")
if username in usernames:
print("Username Accepted")
else:
print("Try Again (10 sec)")
time.sleep(10)
continue
break
def password(n):
while True:
print("Password: ")
password = input("")
if password in passwords:
print("Password Accepted")
return True
n -= 1
if n == 0:
return False
print("Try Again (10 sec)")
time.sleep(10)
username()
if not password(3):
print("Locked")
else:
print("Access Granted")
It's best practice, btw, to not reveal if the username is correct. In other words, you read (username, password) then you validate it and tell the user if the combination is correct. Also, I would sleep 0 the first failure, but then make it exponentially worse each on each failure:
Best way to limit (and record) login attempts
Use some columns in your users table 'failed_login_attempts' and 'failed_login_time'. The first one increments per failed login, and resets on successful login. The second one allows you to compare the current time with the last failed time.
Your code can use this data in the db to determine how long it waits to lock out users, time between allowed logins etc
Related Topics
Multiple Insert Statements in One Connection
Spawn a New Thread to Open a New Window and Close It from a Different Thread
Htmlagilitypack and Dynamic Content Issue
Recursive Linq Query: Select Item and All Children with Subchildren
Check a String to See If All Characters Are Hexadecimal Values
How to Check If a Given Value Is a Generic List
What Is Difference Between Regasm.Exe and Regsvr32? How to Generate a Tlb File Using Regsvr32
Instantiating a Python Class in C#
How to Use HTML.Textboxfor with Input Type=Date
Capturing Count from an SQL Query
Reading/Writing from Named Pipes Under Mono/Linux
ASP.NET Core Disable Authentication in Development Environment
Fill an Array (Or Arraylist) from SQLdatareader