using usleep() with session data

[eluser]loonychune[/eluser]
Hello again,

I'm building a login system and decided to limit the rate at which logins can be made (as opposed to limiting the number of login attempts). I want to know if users can fool the session data into thinking they have never tried to log in:

I'm thinking along these lines:

1) controller constructor initialises number of login attempts to 0, if not already initialised

Code:

$this->session->set_userdata(array('login_attempts' => 0));

2) validation method then increments this value every time a login is attempted

Code:

$this->session->set_userdata(array(
     'login_attempts' => $this->session->userdata('login-attempts') + 1)
);

3) the value of 'login_attempts', stored in the session data, is fed into usleep()

Code:

usleep($login_attempts * 500000);

So, i'm wondering if users can somehow reset their session so that 'login_attempts' is always set equal to zero...

Is using sessions the best way, or even an OK way, to keep track of the number of login attempts?

Thanks,


Damian

[eluser]whitey5759[/eluser]
If you turn on encryption for session data, then the user won't be able to change the 'login-attempts' variables value in the session cookie

[eluser]bretticus[/eluser]
Actually, if it's a brute force attack you're worried about, it's very simple to replay the URL post WITHOUT sending the session cookie. Using sessions is not effective.

I went looking for a post that explains this in more detail and came across this blog post first.

Makes my point.

[eluser]loonychune[/eluser]
Very useful, thanks This is exactly what I was wondering about!