Limit Login Attempts - Blocking Brute Force Attacks

Details
Category: Websites Security
Hits: 13647

Beside using CAPTCHA  there is alternative methods to protect your website control panel .

This is a simple tutorial i made with sessions in PHP to prevent brute force attacks against your website by limiting login attempts for users .

Here is my steps in order to protect your PHP file :

Step A 

initiate a session by placing "session_start();" at beginning of your page .

Step B

Here we will use the a session varialbe called "protect" to store our check value for loging attempts, at the first time user brows our page we will give it "0" value, then for each user login retries we will increase its value and when its value reached our attempts limits we stop and kill the page code, there will be 2 part of this code :

First we check if the session protect have no value (means the user brows the page for the first time) we assing "0" as its value .

if(!$_SESSION['protect'])  {  $_SESSION['protect']=0; } 

Second we check if the session protect value is over 2 (3 login attempts) we kill the page code by using die() function. 

if($_SESSION['protect']>2) { die('You Are Blocked! Contact <a href="mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.">khalil shreateh</a>'); }
 

Step C

in this step we increase our session prevent value 1 for each form login submit, for each login attempt the php page will refresh it self as the form method=post and the action is the page itself . 
$_SESSION['protect']++;
if the login succeeded we assign a specified value to a new session varialbe, lets call it session khalil . 
 

step D 

We check here if the session khalil have a value we run our control panel code, otherwise we show the login form code . 
 
if($_SESSION['khalil'])
{
// logged user page code
echo 'Welcome <b>'.htmlentities($_SESSION['khalil'], ENT_QUOTES).'</b>';
}
 
else 
{
echo '<form method="post"><tr> <td> username </td><td><input type="text" name="username"/></td></tr>
<tr> <td> password </td><td><input type="password" name="password"/></td></tr>
<tr> <td colspan="2" align="center"><input type="submit" name="checkpass" value="Validate"/></td></tr>
</form>';
}
 
This is my whole page code : 
 
<?php 
/**
 * @author khalil shreateh
 * @Protect Your Login Page
 * @copyright 2014
 */
session_start();
echo '<title>Limit Login Attempts - Blocking Brute Force Attacks</title>';
if(!$_SESSION['protect']){$_SESSION['protect']=0;}
if($_SESSION['protect']>2){die('You Are Blocked! Contact <a href="mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.">khalil shreateh</a>');}
 
 
  if(isset($_REQUEST['checkpass']))
{
$_SESSION['protect']++;
$password=md5($_REQUEST['password']);
$username=$_REQUEST['username'];
if($password=="e10adc3949ba59abbe56e057f20f883e")  // pass: 123456 
{
$_SESSION['khalil']=$username; // assign session for logged user
} // end password check
}
 
 
if($_SESSION['khalil'])
{
// logged user page code
echo 'Welcome <b>'.htmlentities($_SESSION['khalil'], ENT_QUOTES).'</b>';
}
 
else 
{
echo '<form method="post"><tr> <td> username </td><td><input type="text" name="username"/></td></tr>
<tr> <td> password </td><td><input type="password" name="password"/></td></tr>
<tr> <td colspan="2" align="center"><input type="submit" name="checkpass" value="Validate"/></td></tr>
</form>';
}
 
 
?>
 
 
The password validation code above is 123456 you can customize yours by using sql query functions 
 

Demo : 

username : any user name 
password : 123456
 
Feel Free To Leave Your Question In The Down Comment Box