I have login page. Do I need to protect it with Captcha or how should I handle it?
For example, if person knows an username, he can use curl or whatever and try to guess passwords many times. It will use many MySQL queries and it will eat my resources.
So, should I use Captcha for login? Or maybe I should store how many times person tried to guess the password with $_SESSION and if he guessed 10 times password wrong, then I would show Captcha? Is it safe to use such a information in $_SESSION? Maybe I should allow person to enter login only every 10 seconds also with $_SESSION? Would it be 100% safe? Or what would you suggest me?
EDIT: Please read my comment under Eljakim’s post.
Don’t go for the session approach.
A captcha may help, but it will annoy your normal users.
You may wish to keep track in your database of how many invalid logins have been tried from a specific IP-address or a specific username within (say) the last 10 minutes. If it goes over a specific threshold, just block that username or IP-address for a while.
Don’t do this in the session! An attacker will probably not send the cookie that supports the session, or can just spoof them.