PHP Login Form.

Question

 <form action="form.php" method="post">
    Username: <input type="text" name="user" maxlength="50" value="" />
    Password: <input type="password" name="pass" maxlength="20" value="" />
    <input type="submit" name="Submit" value="Submit" />
    </form>
    <?php
    $Accesstrys = 0;
    if($_POST['Submit'] == "Submit") {
    $Accesstrys++;
    if($Acesstrys == 3)
    {
    $ip = getenv("REMOTE_ADDR");
    $file = fopen("Loginlimit/$ip",'w');
    fwrite($file,"$Accesstrys:$ip");
    }   
    }
    ?>

Im trying to code a PHP Login Script, gives you 3 try to login if you fail, when it shall freeze for lets say 10min.

far from done, but i tested this and it didnt create/write a file with my ip. what im going wrong

Answer 1

Every time you post a try, it resets the number of access trys to 0. You need to store the number of attempts in a server side solution such as a database or session.

EDIT As mentioned in my comments, my previous brainfart about putting such info in a cookie is simply worst practices. Thank the stars for community editng.

Answer 2

Since PHP is server-side, your $Accesstrys variable is set to 0 on every request.

The key is to use sessions. Try incrementing $_SESSION["AccessTrys"] instead of $Accesstrys

Answer 3

At first glance it seems that you're overwritting@Accesstrys every time with 0, giving you a max of 1. What you should do is set the $Accestrys file to 0 and then set the variable to the file, increase the variable, and then set the file equal to the variable.

Answer 4

PHP, like most dynamic languages used specifically for web applications, operates within a stateless environment. In order to keep track of login attempts between HTTP requests you'll need to a session for your users:

<?php

session_start();
if (!isset($_SESSION['Accesstrys'])) {
  $_SESSION['Accesstrys'] = 0;
}
$_SESSION['Accesstrys']++;
// ... your code goes here ...

Answer 5

There are many problems the approach you've take. For example

1. REMOTE_ADDR is not unique for each user
2. Writing information to a file won't work unless you take care of simultaneous users hitting your server
3. $Accesstry++ disappears at each time it used so its value will never be saved.
4. etc..

You need to use a feature called Sessions and stored the information in the session or a database. Take a look at http://us.php.net/manual/en/features.sessions.php

Answer 6

Presumably, the login username/password combination is not being hard-coded into the script, but being retrieved from a database of some sort. In that case, why not just include a new column, for each user. This solves the problem of if the user just deletes the session cookie on every 3rd attempt.

The database would also allow you then to 'lock' accounts when it reached 3 failed attempts.

If you feel really security needy, you could use a mixture of sessions and database columns, but storing the session data in the database. Google has plenty of examples of how to do this use the set_session_save_handler function.

Answer 7

You'd want to use a database to store the number of retries (by IP address or better by username) since as others have mentioned your $Accesstrys will be reset to zero on each request.

I'm surprised so many people have suggested using sessions to keep track of the number of retries. There's a fundamental security flaw there - if the login attempts were coming from an automated bot trying to crack an account, there would be no cookies (or URL session id) and your session tracking of access attempts would be useless.

Answer 8

I would like to add one more issue in the code is rather than checking the submit value equals to it , use ISSET.

if(isset($_POST['Submit'])) {
// Action code
}

Check out the examples of how the login form can be developed efficiently.
Refer the following links :
Login form sample code
File open and Write - PHP Function
Session to track the value until session expires/browser closed