1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:14 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

locking down app

         

Gilead

4:15 pm on Nov 22, 2011 (gmt 0)

10+ Year Member



I'm looking at security at this point.
1. On every page is checks for a $_SESSION. If one doesn't exist, it send you back to the login page.

2. headers preventing caching-
header("Expires: Fri, 01 Jan 1988 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

3. making sure the input and output is sanitized on the forms.

What I'd like to do is to track login attempts and after so many it will ban your ip address. When you get to the login page, it ends any previous sessions, so I guess I can't use a session variable to track login attempts. Any thoughts on how to do this?

Unlike other issues I've had, I cannot find any examples to use as a base. Any assistance would be appreciated.
Thanks!

Also if there are other things I should look for or any other suggestions; a checklist perhaps?
Thanks again!

rocknbil

4:49 pm on Nov 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



When you get to the login page, it ends any previous sessions


It shouldn't. You should have an include somewhere that is included in **all** scripts that makes classes/functions available at all times. This is one of them. Even if you log out, the session should still be active, you just undefine the variables that hold user's validation values.

session_start() doesn't just start a session, it also resumes any other started sessions.

With that in mind, a table,

id|sessid|user|id|loginattempts|banned_until

// Attempted login:
// select * from table where sessid='$sessid' and user = $user
// see if now() <= banned_until, if it is, reset loginattempts and enter new time (banned_unto should be 0000-00-00 00:00:00 or null if they haven't been banned)
// increment loginattempts (0 ++ will be 1),

Increment it and when loginattempts exceeds your set value, enter a datetimevalue in banned_until, like date_add(now(),interval 15 minute) or something.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:14 am Apr 28, 2026