INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Security

How can I limit my web site to 3 bad login attempts? by Ovatvvon
Posted: 1 Feb 02

First off, if you don't know how to make a secure login from scratch, visit Geee's FAQ at FAQ333-1030 to learn about that. It is not the scope of this FAQ to show you how to make a secure login...only to make it MORE secure by limiting the number of bad attempts  at logging into your web site. With that said...

First we need to think about what we want to do and answer some questions...

 - Do we want to limit the user to 3 bad login attempts, or another number?
 - Do we want it to only count as a bad login attempt IF the login ID matches one in the database, or with any unmatched login attempt?
 - Do we want every bad login attempt to count towards the three bad logins, or do you want it to be separated by login attempts that match a user ID in the database and unmatched login attempts?
 - When the user hit's the maximum limit, do you want it to redirect to another page informing them of their bad attempts and allow them to continue logging in, or lock them out for the session duration (normally 20 min), or lock them out indefinately until the database/web site administrator unlocks them?


What I have used before is the following which I will demonstrate how to construct following these characteristics:

 - I want to separate the bad login attempts into two categories: 1. Unmatched attempts and 2. ID matched attempts.
 - I want to limit the Unmatched attempts to 5 attempts, and the matched attempts to 3 attempts.
 - If the unmatched attempt maximum limit has been reached, I want to lock the user out for the session duration.
 - If the matched attempt maximum limit has been reached, I want to lock the user out indefinitely until the administrator unlocks them.




LOGIN FORM PAGE (login.asp)
------------------------------

<% @ Language=VBScript %>
<%
  Dim msg
  msg = Request.QueryString("msg")

  If msg <> "" Then
      Response.write(msg)
  End If
%>

<BR>
<FORM METHOD='post' ACTION='loginDone.asp'>
<input type='text' name='userID' size='20' maxlength='16'> User ID<BR>
<input type='text' name='userPW' size='20' maxlength='16'> Password<BR>
<input type='submit' value='Submit'><BR>
</FORM>





LOGIN PROCESSING PAGE (loginDone.asp)
---------------------------------------

<% @ Language=VBScript %>
<%
  Option Explicit
  Response.Expires = 0
%>
<!-- #include file="ADOVBS.INC" -->
<%
  If session("memberCount") => 3 Then
        Response.write("You have incorrectly tried to access the member area 3 or more times.<BR>")
        Response.write("The account " & session("memberName") & " has been locked.<BR>")
        Response.write("Contact the administrator to unlock the account.<BR>")
        'Insert your database connection here to set the "userLockout" yes/no field that matches the session("memberName") to True so they will be locked out until the administrator unlocks them.
        Response.End
  Elseif session("userCount") => 5 Then
        Response.write("You have incorrectly tried to access the member area 5 or more times.<BR>")        
        Response.End
  End If

  Dim userID, userPW
  userID = Trim(Request.Form("userID"))
  userPW = Trim(Request.Form("userPW"))
  If userID="" or userPW="" Then
        Response.redirect("login.asp?msg=You+Must+Enter+A+User+ID+AND+Password!")
  End If

  Dim conn, connString, rs, sql
  'Make a disconnected recordset for faster searches and useing less resources on the server.
  sql = "SELECT * FROM users WHERE ((users.id)='" & userID & "');"
  Set conn = Server.CreateObject("ADODB.Connection")
  connString = "DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" & Server.MapPath("myDatabase.mdb") & ";"
  conn.Open connString
  Set rs = Server.CreateObject("ADODB.Recordset")
  rs.CursorLocation = adUseClient
  rs.Open sql, conn, 3, 1, adCmdText
  rs.ActiveConnection = Nothing
  conn.Close
  Set conn = Nothing

  If rs.EOF Then
      If session("userCount") <> "" Then
          session("userCount") = session("userCount") + 1
      Else
          session("userCount") = 1
      End If
      Response.redirect("login.asp?msg=No+Such+User")
  Else
      If rs("lockout") = True Then
          Response.write("The account " & session("memberName") & " has been locked.<BR>")
          Response.write("Contact the administrator to unlock the account.<BR>")
          Response.End
      Else
          If session("memberName") <> userID Then
              session("memberName") = userID
              session("memberCount") = 1
          Else
              session("memberCount") = session("memberCount") + 1
          End If

          If rs("pw") <> userPW Then
              Response.redirect("login.asp?msg=Incorrect+Password")
          Else
              Session.Contents.Remove("userCount")
              Session.Contents.Remove("memberCount")
              Session.Contents.Remove("memberName")

              session("userID") = rs("id")
              session("age") = rs("age")
              session("email") = rs("email")
              session("signinFlag") = True 'to verify access to the member area

              Response.redirect("memberArea.asp")
          End If
      End If
  End If

  rs.Close
  Set rs = Nothing
%>




Hope this helps!

Back to Microsoft: ASP (Active Server Pages) FAQ Index
Back to Microsoft: ASP (Active Server Pages) Forum

My Archive

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close