php - login - make conditional to hide after 3 attempts

Report · Mar 10, 2007

Hi I have my login but does anybody know how to make it conditionally hide after 3 attempts to show a link to the lost password page?
I thought about doing a recordset and applying the show if recordset behaviour but I don't think it can work this way.
I know I have to do some sort of counter using sessions but for which column in the database?

I am starting with this:
$_SESSION['count'] = $_SESSION['count'] + 1;
if ($_SESSION['counter'] > 3)
{
print '<a href="password.php" title="Lost Password">You seem to have lost your password, please click here to retrieve it.</a>';
exit;
}

but how to make the login form hide is where I am having trouble.

Does anybody have any suggestions?

Report · Mar 11, 2007

jjjhbj111 wrote:
> Hi I have my login but does anybody know how to make it conditionally hide
> after 3 attempts to show a link to the lost password page?

I'm not sure this is a very secure idea. Somebody tries to break in
three times and you offer them a quick way of retrieving the password?

> I know I have to do some sort of counter using sessions but for which column
> in the database?

Although I don't think it's a good idea, this is how you do it:

if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 1;
}
else {
$_SESSION['count']++;
}
if ($_SESSION['count'] > 3) {
// display the error message
}
else {
// display the login form
}

--
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Mar 13, 2007

Thanks David
O.K. I have read about brute force attacks. So allowing less login attempts is the better way to go. I have opted for the security questions you suggested a while ago and thought maybe on login to add a captcha as well and use the if ($_SESSION['count'] > 1) which then displays the lost password message and link etc.
I have this info from the net:
Place the ampersat symbol (@) in front of many of your PHP function calls. If they fail, the ampersand will stop from showing that failure in the browser window. This is very useful when making database calls but your database is down, or the SQL statement returns an error. Such messages would only give feedback to intruders, or look unprofessional to regular users.
Passwords in the user account table of your database must be encrypted (SHA-1)
Does anybody use the@ symbol before a function - would it work in Dreamweaver?
Also some recommend using SHA-1 others don't - if I was admin and wanting to look up passwords myself using this method, can you unencrypt it?

Thanks for your help, I don't want to have security problems when using other persons confidential data.

Report · Mar 13, 2007

jjjhbj111 wrote:
> Does anybody use the@ symbol before a function - would it work in Dreamweaver?

Yes, @ is the PHP error control operator. Dreamweaver is simply a text
editor writing your PHP code. What does and doesn't work is determined
by the version of PHP on your server, not Dreamweaver.

> Also some recommend using SHA-1 others don't - if I was admin and wanting to
> look up passwords myself using this method, can you unencrypt it?

sha-1() creates a one-way hash. It cannot be decrypted.

--
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Mar 13, 2007

Thanks David
How does a person retrieve their password then?
Also does a user have to login after registration or can they be taken straight to user access page?

Report · Mar 14, 2007

jjjhbj111 wrote:
> How does a person retrieve their password then?

You can't. You have to generate a new password. You can use two-way
encryption with the MySQL functions ENCODE() or AES_ENCRYPT(). I show
examples of how to do this in "PHP Solutions".

> Also does a user have to login after registration or can they be taken straight to user access page?

You have to log in.

--
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/