Blocking access to the login page after three unsuccessful login attempts

Sometimes you need to add an extra protection to password-protected website. This article explains how access to the login page can be restricted after three unsuccessful login attempts. This schema uses visitors IP address to store log attempts in the database and block access to login feature for 30 minutes after third unsuccessful attempt.

There are a number of reasons to restrict access. One reason is security. Quite often users try to guess login and password combination to get unauthorized access to the system. Another reason is extra load on server.

So let’s start. At first you need to create a new table in your databaseto store information about login attempts from a certain computer. SQL script creating such table inMySQL Server will be the following. For other databases it will slightly differ.

CREATE TABLE `LoginAttempts`
(
`IP` VARCHAR( 20 ) NOT NULL ,
`Attempts` INT NOT NULL ,
`LastLogin` DATETIME NOT NULL
)

It is assumed that you have already had an authorization page. Otherwise you can create it using PHP, SSI, and similar languages. There are no major difficulties in writing this program (script).

Authorization page should work with two tables: one table where information about registered users is stored and the other one where unsuccessful login attempts are listed.
Before verifying entered data, system has to check if the user exceeded attempts limit or not. If in the LoginAttempts table there are more than two records correspondent to one IP address, then error message will appear saying that access is blocked for a certain period of time. You can set time period at your discretion. Depending on your security policy it can vary from 1 minute to 24 hours or more. In the following example access will be blocked for 30 minutes.

 

<?php
function confirmIPAddress($value) {

$q = “SELECT attempts, (CASE when lastlogin is not NULL and DATE_ADD(LastLogin, INTERVAL “.TIME_PERIOD.
” MINUTE)>NOW() then 1else 0 end) as DeniedFROM “.TBL_ATTEMPTS.” WHERE ip = ‘$value'”;

$result = mysql_query($q, $this->connection);
$data = mysql_fetch_array($result);

//Verify that at least one login attempt is in database

if (!$data) {
return 0;
}
if ($data[“attempts”] >= ATTEMPTS_NUMBER)
{
if($data[“Denied”] == 1)
{
return 1;
}
else
{
$this->clearLoginAttempts($value);
return 0;
}
}
return 0;
}

function addLoginAttempt($value) {

//Increase number of attempts. Set last login attempt if required.

$q = “SELECT * FROM “.TBL_ATTEMPTS.” WHERE ip = ‘$value'”;
$result = mysql_query($q, $this->connection);
$data = mysql_fetch_array($result);

if($data)
{
$attempts = $data[“attempts”]+1;

if($attempts==3) {
$q = “UPDATE “.TBL_ATTEMPTS.” SET attempts=”.$attempts.”, lastlogin=NOW() WHERE ip = ‘$value'”;
$result = mysql_query($q, $this->connection);
}
else {
$q = “UPDATE “.TBL_ATTEMPTS.” SET attempts=”.$attempts.” WHERE ip = ‘$value'”;
$result = mysql_query($q, $this->connection);
}
}
else {
$q = “INSERT INTO “.TBL_ATTEMPTS.” (attempts,IP,lastlogin) values (1, ‘$value’, NOW())”;
$result = mysql_query($q, $this->connection);
}
}

function clearLoginAttempts($value) {
$q = “UPDATE “.TBL_ATTEMPTS.” SET attempts = 0 WHERE ip = ‘$value'”;
return mysql_query($q, $this->connection);
}
?>