I currently developed a web site that my user must login to web site. When a user comes I create a Session for him/her and save number of time + time of unsuccessful logins for him.When user try 5 time login I show him a CAPTCHA and force him to enter CAPTCHA code.Now I want when user try more that 10 times, redirect him in an simple HTML file that show him that You are ban for 2 hours.The problem is how I can select unique user in internet? What information about user together can select a unique user?
I currently developed a web site that my user must login to web site.
Share
You’re asking the user to log in, so it sounds like you already have a unique login ID for each user, and your underlying concern is to prevent a malicious user from subverting your system into locking out a different valid user while still stopping them from password cracking. Is that correct?
You cannot with absolute certainty prevent a malicious user from using your intrusion protection scheme to interfere with other users. If you see what appears to be someone attempting to brute-force another user’s password, then you can lock out that IP address for some duration… or possibly just that IP address for that account… but you run the risk of a malicious user behind a shared IP of a NAT gateway causing all other users behind that same gateway to be locked out. Any information sent to your server can be spoofed, so it’s a bit of a balancing act. A combination of user ID and IP address wouln’t be infallable in terms of representing a unique individual, but it would be enough to prevent most common abuses.