Sometimes you need to add an extra protection to password-protected website. This article explains how access to the login page can be restricted after three unsuccessful login attempts. This schema uses visitors IP address to store log attempts in the database and block access to login feature for 30 minutes after third unsuccessful attempt.
There are a number of reasons to restrict access. One reason is security. Quite often users try to guess login and password combination to get unauthorized access to the system. Another reason is extra load on server.
So let’s start. At first you need to create a new table in your database to store information about login attempts from a certain computer. SQL script creating such table in MySQL Server will be the following. For other databases it will slightly differ.
It is assumed that you have already had an authorization page. Otherwise you can create it using PHP, SSI, and similar languages. There are no major difficulties in writing this program (script).
Authorization page should work with two tables: one table where information about registered users is stored and the other one where unsuccessful login attempts are listed.
Before verifying entered data, system has to check if the user exceeded attempts limit or not. If in the LoginAttempts table there are more than two records correspondent to one IP address, then error message will appear saying that access is blocked for a certain period of time. You can set time period at your discretion. Depending on your security policy it can vary from 1 minute to 24 hours or more. In the following example access will be blocked for 30 minutes.
If attempts limit has not been reached, then the system will check, if the data entered are correct. If the data are verified, information about previous attempts is deleted, and for the next authorization user again will have three login attempts.