I'm trying to block login for x minutes after y failed attempts. I'm already planning to log user logins, so I guess I could use the same database to calculate if blocking needs to happen.
My questions:
You need what's called a Password Attempt Window.
Basically 2 fields in the database, one LastPasswordAttempt (datetime) and PasswordAttemptCount (int)
Then on each login, check when the last LastPasswordAttempt occured and if it has been in the last say 10 minutes - increment the PasswordAttemptCount, otherwise reset it to 0 (or 1 because they've just failed).
In the same logic, check whether PasswordAttemptCount is equal to say 5 or more, if it is - deny the user access. You could have a 3rd field which locks them out for a few hours or a day.
i.e. CanLoginAfter(datetime) which you can set to a day from the last password attempt.
Hope this helps
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With