I’m working on an auth system with login failure.
If the user fails to login, the attempts number in database is incremented and if a defined limit is reached, PHP sets a session captcha variable to true.
So when the user (or spam bot) gets the login page again, a captcha form is shown thanks to the session variable
But since Spam bots could eventually delete the session cookie and retry, this may be not effective.
Should I use a database solution instead ? How would you implement this (with/or without the database) ?
Spam bots can get around session restrictions fairly easily, so it would have to be done in the database to be effective. Spam bots can also change their IP address each request, although this is harder to achieve.
You’d have to put a login attempts field in the users table that starts at 0, increment this when they get the password wrong, and reset it to 0 when they log in successfully. When someone tries to login as a user with login attempts > 5 you would then take them to another page with the captcha which they must enter correctly (even if the password was wrong).