+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Blocking IP address after x failed login attempts? (/showthread.php?tid=8409)
Blocking IP address after x failed login attempts? - El Forum - 05-16-2008
[eluser]Josamoto[/eluser]
I am building a login system for Flex with PHP + CodeIgniter + AMFPHP in the server side backend.
I want to enable my system to allow each user to have only 5 opportunities to login. And 5 failed attempts, his IP must be blocked for 15 minutes, whereafter he can login again.
The problem is, there are ways around this.
I can try blocking them by:
a) session id
b) ip address
...but
a) ...can be tricked by simply restarting the browser, thus creating a new session.
b) ...can be tricked by using proxies and techniques I don't even know about, not even to mention ISP's that give dynamic IP addresses.
What is the best way to detect IP addresses (or at least identify specific PC's) from visitors, and how can I blacklist specific computers from logging in.
Thanks
Blocking IP address after x failed login attempts? - El Forum - 05-16-2008
[eluser]Tom Glover[/eluser]
Block by Cookie, without them clearing all your site cookies they will be blocked weather or not they use proxies or change browser or ip!
Blocking IP address after x failed login attempts? - El Forum - 05-16-2008
[eluser]Pascal Kriete[/eluser]
You can never 'truly' block anyone unless you contact their isp. That said, you can make it harder using all the things that have already been mentioned.
Blocking IP address after x failed login attempts? - El Forum - 05-17-2008
[eluser]Josamoto[/eluser]
In my honest opinion, no "secure" computer system is secure. I mean, just look at the number of keygens available for nearly every application on the planet. People just tend to crack...well...everything.
I therefore agree with you inparo. A lock doesn't keep a burglar out, it just slows them down. I remember once at Johannesburg airport, I put a lock on one of my suitcases. Someone got into the bag, without even touching the lock, they just clipped the "ears" of the zippers. Shows you, security sometimes just gives you false piece of mind.
About blocking by cookies, it's against my policy to use cookies, more and more people are turning cookies off, and I've chosen to use server side sessions.
Any ideas on implementing the 15 minute blockout, should a person fail to login say 5 times in a row?