PsudoCode for locking of account based on failed attempts: Comments leading to a consensus please.

[GoogleCodeExporter]

The logins table has an attempts field (integer)

The web site developer could specify the max attempts in the global
configuration file.

I propose login attempts be kept in the logins table rather than session
state or cookie to prevent a malicious user from simply closing the browser
and/or deleting cookies to bypass controls.

So, how? If we add a success field this may be easier.

On a login attempt we would have to first retrieve the attempts value for
the userid and IP of  

On each login, update the attempts field.

If max attempts or greater lock user account and e-mail webmaster and
account owner.

If a successful login occurs, we would need to update the success field to
1 so the attempts value of that record will not be used on the next login
attempt for the user.

Is this right?

Original issue reported on code.google.com by rdivilb...@gmail.com on 7 Feb 2010 at 12:18

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 8 Feb 2010 at 5:12

• Added labels: Milestone-Alpha, Type-Comment-Request
• Removed labels: Type-Review

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 8 Feb 2010 at 5:12

[GoogleCodeExporter]

New table, loginAttempts was added. ASP and PHP code has been written and 
tested. 

Original comment by rdivilb...@gmail.com on 9 Apr 2010 at 5:45

• Changed state: Verified