Blocking access to the login page after three unsuccessful login attempts

Sometimes you need to add an extra protection to password-protected website. This article explains how access to the login page can be restricted after three unsuccessful login attempts. This schema uses visitors IP address to store log attempts in the database and block access to login feature for 30 minutes after third unsuccessful attempt.

There are a number of reasons to restrict access. One reason is security. Quite often users try to guess login and password combination to get unauthorized access to the system. Another reason is extra load on server.

So let’s start. At first you need to create a new table in your database to store information about login attempts from a certain computer. SQL script creating such table in MySQL Server will be the following. For other databases it will slightly differ.

CREATE TABLE `LoginAttempts` 
(
`IP` VARCHAR( 20 ) NOT NULL ,
`Attempts` INT NOT NULL ,
`LastLogin` DATETIME NOT NULL 
) 

It is assumed that you have already had an authorization page. Otherwise you can create it using PHP, SSI, and similar languages. There are no major difficulties in writing this program (script).

Authorization page should work with two tables: one table where information about registered users is stored and the other one where unsuccessful login attempts are listed.
Before verifying entered data, system has to check if the user exceeded attempts limit or not. If in the LoginAttempts table there are more than two records correspondent to one IP address, then error message will appear saying that access is blocked for a certain period of time. You can set time period at your discretion. Depending on your security policy it can vary from 1 minute to 24 hours or more. In the following example access will be blocked for 30 minutes.

<?php
function confirmIPAddress($value) { 

  $q = "SELECT attempts, (CASE when lastlogin is not NULL and DATE_ADD(LastLogin, INTERVAL ".TIME_PERIOD.
  " MINUTE)>NOW() then 1 else 0 end) as Denied FROM ".TBL_ATTEMPTS." WHERE ip = '$value'"; 

  $result = mysql_query($q, $this->connection); 
  $data = mysql_fetch_array($result); 

  //Verify that at least one login attempt is in database 

  if (!$data) { 
    return 0; 
  } 
  if ($data["attempts"] >= ATTEMPTS_NUMBER) 
  { 
    if($data["Denied"] == 1) 
    { 
      return 1; 
    } 
    else 
    { 
      $this->clearLoginAttempts($value); 
      return 0; 
    } 
  } 
  return 0; 
} 

function addLoginAttempt($value) {

   //Increase number of attempts. Set last login attempt if required.

   $q = "SELECT * FROM ".TBL_ATTEMPTS." WHERE ip = '$value'"; 
   $result = mysql_query($q, $this->connection);
   $data = mysql_fetch_array($result);
   
   if($data)
   {
     $attempts = $data["attempts"]+1;         

     if($attempts==3) {
       $q = "UPDATE ".TBL_ATTEMPTS." SET attempts=".$attempts.", lastlogin=NOW() WHERE ip = '$value'";
       $result = mysql_query($q, $this->connection);
     }
     else {
       $q = "UPDATE ".TBL_ATTEMPTS." SET attempts=".$attempts." WHERE ip = '$value'";
       $result = mysql_query($q, $this->connection);
     }
   }
   else {
     $q = "INSERT INTO ".TBL_ATTEMPTS." (attempts,IP,lastlogin) values (1, '$value', NOW())";
     $result = mysql_query($q, $this->connection);
   }
}

function clearLoginAttempts($value) {
  $q = "UPDATE ".TBL_ATTEMPTS." SET attempts = 0 WHERE ip = '$value'"; 
  return mysql_query($q, $this->connection);
}
?>

If attempts limit has not been reached, then the system will check, if the data entered are correct. If the data are verified, information about previous attempts is deleted, and for the next authorization user again will have three login attempts.

You can test this login system online or download completed php scripts and try to use them on your site.