"Sparkplug" <sp*******@nowhere.net> wrote in message
news:opsidypgpufps5jf@cblaptop...
I have used the simple example of HTTP Authentication from the PHP website
as follows:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
My authentication code here
}
?>
At the moment, if the user gets it wrong they are locked-out until they
restart their browser.However, I want the user to have, say, five attempts
before being locked-out. I guess I need a counter so that I can
unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but
I can't work out a way to make the counter persistent across attempts.
All ideas welcome.
I don't see why the user would get locked out. HTTP is stateless. Each
request is independent of each other. IE does not bring up the
authentication dialog box again after three failed attempts. But it will do
so again if you refresh the page. Netscape on the other hand would keep
showing the dialog box as long as it's receiving the status code 401.
Perhaps the problem here is your code. Are you sending 401 when the
username/password pair is incorrect? The absence of the PHP_AUTH_USER
needn't really to be handled separately. No username/password is--for the
most part--the same as wrong username/password.
As for limiting the number of attempts, the only effectively way to do this
is to save the time of each attempt in a database or a file on the server,
then count the number of attempt within a given time period.