Skip to main content
P
pamcorey
Participant
October 30, 2007
Question

lock out users after three failed login attempts

  • October 30, 2007
  • 2 replies
  • 1650 views
I used Dreamweavers login wizard to secure a directory in my application (using simple authentication). That all works fine but now I need to add the functionality where a user would be locked out (temporarily - using a session variable) after three failed login attempts. I've tried many ways but I can't figure it out. I've enabled session management in my application.cfm and set the sessiontimeout variable. Where do I put the code (and what code would that be) that counts the attempts and then freezes it after three failed attempts?

This is the code in the mm_wizard_authenticate.cfc file:

<cffunction name="simpleauth" access="private" output="false" returntype="struct" hint="Authenticate using a single username and password">
<cfargument name="sUserName" required="true" hint="The username that was setup in the Login Wizard.">
<cfargument name="sPassword" required="true" hint="The password that was setup in the Login Wizard.">
<cfargument name="uUserName" required="true" hint="The username passed in from the client.">
<cfargument name="uPassword" required="true" hint="The password passed in from the client.">
<cfset var retargs = StructNew()>

<cfif sUserName eq uUserName AND sPassword eq uPassword>
<cfset retargs.authenticated="YES">
<cfelse>
<cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>
</cffunction>

I'm thinking I need to add something like this (below) somewhere but I don't know where.

<cflock scope="SESSION" timeout="3" type="EXCLUSIVE">
<cfif NOT IsDefined("request.login") or request.login neq 1>
<cflocation addtoken="No" url="mm_wizard_login.cfm">
</cfif>
</cflock>

Any help gratefully appreciated. Thanks!
This topic has been closed for replies.

2 replies

A
Anonymous
October 30, 2007
I will suggest that you use the cookie. Every time the attempt fail, you will check if the cookie exists if it does than you will add 1 to the value.


before you display the login screen, you will check the value of the cookie. if the value is more than 3 then you will only display a message indicating that the he/she can't logon.

if the logon successful, then you need to reset the cookie value to zero.

Also, in the application.cfm you need to do the following:

<cfif isDefined('cookie.cfid') and isDefined('cookie.cftoken')>
<cfset localcfid= cookie.cfid>
<cfset localcftoken = cookie.cftoken>
<cfcookie name="cfid" value="#localcfid#">
<cfcookie name="cftoken" value="#localcftoken#">

</cfif>

The code above will clear the session information whenever the user close the browser and open it again.

Good luck
Mamdoh
A
Anonymous
October 30, 2007
Something like this might work for you.
P
pamcoreyAuthor
Participant
October 30, 2007
Where in my code do I add this code, jdeline?
A
Anonymous
October 30, 2007
The top section goes at the top of the page on which you are doing the authentication. The bottom section goes after the authentication is checked.
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices