Deny Access if password is wrong 3 times

Carlos Marangon wrote:

Can anyone please tell me where can I find a script that
deny access if password is wrong 3 times

Wouldn't you rather make your own?

Initialize a session variable to 0; at every access with a bad password
increment the variable and deny access when that variable is greater
than 3.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

I noticed that Message-ID:
<2c************ *************@p osting.google.c om> from Carlos Marangon
contained the following:

hello!

Can anyone please tell me where can I find a script that
deny access if password is wrong 3 times

For a single username and password, you can include the following at the
beginning of each page.

<?php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($GLOBAL S['PHP_AUTH_USER'])) {

// If empty, send header causing dialog box to appear

header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;

} else if (isset($GLOBALS['PHP_AUTH_USER'])) {

if (($GLOBALS['PHP_AUTH_USER'] != "Username") ||
($GLOBALS['PHP_AUTH_PW'] != "Password") ) {

header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;

} else {
echo "
<P>You're authorized!</p>
";
}
}
?>
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Won't work if cookie is off. You get a fresh session every time.

Uzytkownik "Pedro Graca" <he****@hotpop. com> napisal w wiadomosci
news:c1******** *****@ID-203069.news.uni-berlin.de...

Carlos Marangon wrote:

Can anyone please tell me where can I find a script that
deny access if password is wrong 3 times

Wouldn't you rather make your own?

Initialize a session variable to 0; at every access with a bad password
increment the variable and deny access when that variable is greater
than 3.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

[top-post fixed]
"Chung Leong" <ch***********@ hotmail.com> wrote in message news:<ou******* *************@c omcast.com>...

Uzytkownik "Pedro Graca" <he****@hotpop. com> napisal w wiadomosci
news:c1******** *****@ID-203069.news.uni-berlin.de...

Carlos Marangon wrote:

Can anyone please tell me where can I find a script that
deny access if password is wrong 3 times
Wouldn't you rather make your own?

Initialize a session variable to 0; at every access with a bad password
increment the variable and deny access when that variable is greater
than 3.

Won't work if cookie is off. You get a fresh session every time.

Nope. Session will work even without cookies--ie, with transid

--
"Success is not what you achieve, but it is what you die for"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com

Carlos Marangon wrote:

Can anyone please tell me where can I find a script that
deny access if password is wrong 3 times

Not a script, but a suggested method:

Create a log file or database table to log IP, time and username of person
trying to log in. At each attempted login, read the file or database within the
last day (or hour or whatever). If the account has had 3 or more attempts to
log in within your chosen time period, deny access. That way, it's
self-healing. I.e. the user just has to wait until enough time has gone by to
log in and no administrative work is necessary to undo the block. The downside
is somebody could deny another user access by trying to log in as them
repeatedly, but you'd have their IP and could possibly track it from there. You
could add a script to deny user access from specific IP blocks/username
combinations to limit the scope of the problem.

This method is more secure than a cookie or session based system, as all the
pertinent info is saved on the server. But it's quite a bit more work.

Shawn
--
Shawn Wilson
sh***@glassgian t.com
http://www.glassgiant.com

Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@r ediffmail.com> napisal w
wiadomosci news:ab******** *************** ***@posting.goo gle.com...

Won't work if cookie is off. You get a fresh session every time.

Nope. Session will work even without cookies--ie, with transid

Would someone trying to break into the system happily supply the id? I think
not.

"Chung Leong" <ch***********@ hotmail.com> wrote in message news:<46******* *************@c omcast.com>...

Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@r ediffmail.com> napisal w
wiadomosci news:ab******** *************** ***@posting.goo gle.com...

Won't work if cookie is off. You get a fresh session every time.

Nope. Session will work even without cookies--ie, with transid

Would someone trying to break into the system happily supply the id? I think
not.

That is the different problem with the trans_sid. But, I just
wanted to say that session will work if trans_sid is enabled.

--
"Success is not what you achieve, but it is what you die for"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com