Home | Site map   
  Home Products Downloads Support Contacts
 
 

Blocking access to the login page after three unsuccessful login attempts

Sometimes you need to add an extra protection to password-protected website. This article explains how access to the login page can be restricted after three unsuccessful login attempts. This schema uses visitors IP address to store log attempts in the database and block access to login feature for 30 minutes after third unsuccessful attempt. This schema involves Events function which is available in ASPRunnerpro 4.0/PHPRunner 3.0

Steps:

In MSSQL/MySQL Server run the following script to create table in your database that logs login attempts

MSSQL Server Query
CREATE TABLE LoginAttempts
(
IP varchar(20),
Attempts int default 0,
LastLogin datetime default NULL
)
 
MySQL Server Query
CREATE TABLE `LoginAttempts`
(
`IP` VARCHAR(20) NOT NULL,
`Attempts` INT NOT NULL,
`LastLogin` DATETIME NOT NULL
)

Open your ASPRunner/PHPRunner project
Proceed to Security tab and switch on Create login page checklist



 Check Username and password from database option and choose appropriate fields. If you have no table in which all of the login details are stored you have to create it.
Build your ASPRunner/PHPRunner project and view generated files in Windows Explorer
In Include folder find events.asp/events.php file and replace its code with following

ASPRunner Example
<%
Sub LoginOnLoad()
'********** Custom code ************
' put your custom code here

End Sub

Function BeforeLogin(username, password)
'********** Custom code ************
' check if this IP address is currently blocked

set rstmp=Server.CreateObject("ADODB.Recordset")
rstmp.Open "select Attempts, case when LastLogin is NULL then 60 else datediff(mi, LastLogin, getdate()) end as Minutes from LoginAttempts where ip = '" & Request.ServerVariables("REMOTE_ADDR") & "'", dbConnection

if rstmp.eof then
  BeforeLogin = True

else
  if rstmp("Attempts")>=3 then
    if rstmp("Minutes")<30 then
      Response.Write "<p align=center><br><font color=red><b>Access denied for 30 minutes</b>< font></p>"
      BeforeLogin = False
    else
      dbConnection.Execute "update LoginAttempts set Attempts=0 where ip = '" & Request.ServerVariables("REMOTE_ADDR") & "'"
      BeforeLogin = True
    end if
  else
    BeforeLogin = True
  end if

end if

rstmp.Close : set rstmp = Nothing

End Function

Sub AfterSuccessfulLogin()
'********** Custom code ************
' clear previous attempts

dbConnection.Execute "update LoginAttempts set Attempts=0 where ip = '" & Request.ServerVariables("REMOTE_ADDR") & "'"

End Sub

Sub AfterUnsuccessfulLogin()
'********** Custom code ************
' increase number of attempts
' set last login attempt timeif required

set rstmp=Server.CreateObject("ADODB.Recordset")
rstmp.Open "select * from LoginAttempts where ip = '" & Request.ServerVariables("REMOTE_ADDR") & "'", dbConnection

if not rstmp.eof then
  nAttempts = rstmp("Attempts")
  if isnull(nAttempts) then
    nAttempts=1
  else
    nAttempts = nAttempts + 1
  end if

  if nAttempts=3 then
   AccessTime="getdate()"
  else
   AccessTime="'" & rstmp("LastLogin") & "'"
  end if
   dbConnection.Execute "update LoginAttempts set Attempts=" & nAttempts & ", LastLogin=" & AccessTime & " where ip = '" & Request.ServerVariables("REMOTE_ADDR") & "'"

else
  dbConnection.Execute "insert into LoginAttempts (Attempts,IP) values (1, '" & Request.ServerVariables("REMOTE_ADDR") & "')"

end if

rstmp.Close : set rstmp = Nothing

End Sub
%>
 
PHPRunner Example
<?
function BeforeLogin($username, $password)
{
//********** Custom code ************
// check if this IP address is currently blocked
global $conn;
$sql = "select Attempts, LastLogin from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
$rs = db_query($sql,$conn);
$data = db_fetch_array($rs);

if (!$data || !strlen($data["LastLogin"]))
  return true;

$atime = db2time($data["LastLogin"]);
$time = mktime($atime[3],$atime[4],$atime[5],$atime[1],$atime[2],$atime[0]);
$diff = (time()-$time)/60;

if ($data["Attempts"]>=3)
{
  if($diff<30)
  {
    echo "<p align=center><br><font color=red><b>Access denied for 30 minutes</b> <font></p>";
    return false;
  }
  else
  {
    db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);
    return true;
  }
}
return true;
}

function AfterSuccessfulLogin()
{
//********** Custom code ************
// clear previous attempts

global $conn;
db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);

}

function AfterUnsuccessfulLogin()
//********** Custom code ************
// increase number of attempts
// set last login attempt timeif required
{
global $conn;
$sql = "select * from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
$rs = db_query($sql,$conn);
$data = db_fetch_array($rs);

if($data)
{
  $attempts = $data["Attempts"]+1;

  if($attempts==3)
    db_exec("update LoginAttempts set Attempts=" . $attempts . ", LastLogin=now() where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
  else
    db_exec("update LoginAttempts set Attempts=" . $attempts . " where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
}
else
  db_exec("insert into LoginAttempts (Attempts,IP,LastLogin) values (1, '".$_SERVER["REMOTE_ADDR"] . "',NOW())",$conn);
}
?>

View generated pages in your favourite browser

Now, visitors have to enter their username and password to gain access to the site. After third unsuccessful login attempt access will be denied for 30 minutes. When visitor try to login when account is blocked he will see message saying access is denied.

Applies to:
ASPRunner Pro
PHPRunner

Back to top

 
 

Home | Products | Downloads | Support | Contacts

  © 1999 - 2006 XLineSoft. All rights reserved. All comments send to webmaster@xlinesoft.com