Question
Looking to improve my login script.
The aim to set a timer every time a user tries to login.
This time for now will just be a 1 second, but after 5 attempts will increase to 5 seconds and so on.
The purpose would be to prevent DDOS and brute force attacks.
However, I literally have no idea where to start with it. The login script consists of a process php page and then validation with javascript. The javascript side of things also uses a JSON return to see errors / success etc.
Any help on simply limiting the login to once per 1 second? Maybe this is easier with PHP?
Thanks for any help. I know I should provide code that I have tried but need to a push in the right direction first!
Solution
Never trust the client. If you do this in Javascript, any potential attacker can simply avoid the Javascript.
Do this in PHP. For each user, keep a time stamp of when they last attempted a login and number of failed login attempts. When someone tries to login, merely check this value. If the number of seconds elapsed since last login is too soon given the number of failures, simply redirect them back to the login page with an error message.
https://stackoverflow.com/questions/20616668
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian