using usleep() with session data |
[eluser]loonychune[/eluser]
Hello again, I'm building a login system and decided to limit the rate at which logins can be made (as opposed to limiting the number of login attempts). I want to know if users can fool the session data into thinking they have never tried to log in: I'm thinking along these lines: 1) controller constructor initialises number of login attempts to 0, if not already initialised Code: $this->session->set_userdata(array('login_attempts' => 0)); 2) validation method then increments this value every time a login is attempted Code: $this->session->set_userdata(array( 3) the value of 'login_attempts', stored in the session data, is fed into usleep() Code: usleep($login_attempts * 500000); So, i'm wondering if users can somehow reset their session so that 'login_attempts' is always set equal to zero... Is using sessions the best way, or even an OK way, to keep track of the number of login attempts? Thanks, Damian
[eluser]whitey5759[/eluser]
If you turn on encryption for session data, then the user won't be able to change the 'login-attempts' variables value in the session cookie
[eluser]bretticus[/eluser]
Actually, if it's a brute force attack you're worried about, it's very simple to replay the URL post WITHOUT sending the session cookie. Using sessions is not effective. I went looking for a post that explains this in more detail and came across this blog post first. Makes my point.
[eluser]loonychune[/eluser]
Very useful, thanks This is exactly what I was wondering about! |
Welcome Guest, Not a member yet? Register Sign In |