I want to disable the user for 6hrs when he inputs the wrong password 3 times
i'm using mysql...
please help me...

and this is my usercheck.php

<?php
    session_start();
    include("config.php");
    if (isset($_POST['sub'])) {
        $myusername = $_POST['txtusername'];
        $mypassword = $_POST['txtpassword'];
        $name       = stripslashes($myusername);
        $password   = stripslashes($mypassword);
        $myusername = mysql_real_escape_string($name);
        $mypassword = mysql_real_escape_string($password);
        $sql        = "SELECT * FROM $tbl_name WHERE MUSE_NAME='$myusername' and MUSE_PWD='$mypassword'";
        $result     = mysql_query($sql);
        $count      = mysql_num_rows($result);
        if ($count == 1) {
            $_SESSION['login'] = "1";
            header("location:Main_Dashboard.php");
        } 
		else 
		{
		    $_SESSION['error'] = "Incorrect username or password";
            header("location:Main_Login.php");
        }
    }
?>

On the third try (that fails), save the date / time / timestamp when he gets re-activated into the DB. Always check this field when someone tries to login. If the time is still in the future, then reject the login. If there is one and the time has passed, then make sure that you clear that database field.

As a comment, this is a pretty severe lock out. In most cases, this type of temporary suspension is for 15 - 30 minutes. It is sometimes done using a session value so if you close your browser and start it up again (or use another one) you can get back in. It isn't all that difficult to screw it up 3 times in a row (confusion on the PW not just mis-keying).

help me...

how can he gets re-activated into the DB after 60 minutes

You don't need to be constantly looking at the DB and updating the status of the users. You wait until he tries to login again. If the suspended period is over, then you change the DB and take out the date & time when the suspension ends (indicating no suspension). If the suspension isn't over yet, you just refuse his login with an appropriate message.

One thing I noticed is that you said the user has 3 tries to log in. A problem with that you aren't including a time limit for those tries- what if a user fails 3 tries over a period of 2 weeks? You don't want to lock them out for that!

What I would do is have two cookies created on the first login attempt and use them to track how many times they have tried to log in. The reason you need two cookies is that one of them must be updated each time a login is attempted, and the other needs to store the original expiration time of the cookie that gets update.

If your cookies expire after, say, 15 minutes, then you can use that to allow a maximum of 3 tries for each 15 minute period. Each time the user fails to provide the correct login credentials, update the cookie's value to reflect the number of failed attempts. If the cookie has a value of greater than 3, then save the timestamp to your DB and don't allow any more attempts for 60 minutes.

I modified your original code to do this. Check it out- it may be what you're looking for:

<?php
    session_start();
    include("config.php");

    //Check if the user has already tried to login
    //If they have, set the variable $auth_tries to the value of the cookie and get the expire time
    if (isset($_COOKIE['time_limit'])) {
        $num_tries = $_COOKIE['auth_attempts'];
        $expire_time = $_COOKIE['time_limit'];
    } else { //If they haven't, create the cookie with a value of 1, since this is their first attempt
        setcookie('auth_attempts', 1,  time()+900); //Cookie named 'auth_attempts' with a stored value of '1' that expires in 900 seconds from now (15 minutes)
        setcookie('time_limit', time()+900, time()+900);  //Cookie named 'time_limit' that stores the expiration time of the first login attempt
        $num_tries = $_COOKIE['auth_attempts'];  //Value of 1
        $expire_time = $_COOKIE['time_limit']; //Timestamp of 15 minutes from now
    }
    
    //Check if the user has exceeded 3 login attempts in 15 minutes
    //If true, log the current timestamp in the DB and let the user know they are temporarily locked out
    if ($num_tries > 3) {
        $lockout_time = time() + 3600;  //Timestamp of 1 hour from now
        mysql_query("UPDATE $tbl_name SET MUSE_LOCKED = '$lockout_time' WHERE MUSE_NAME='$myusername'");
        die(print("You have failed to log in 3 times in 15 minutes!  You must wait an hour before attempting to log in again."));
    }
        
    if (isset($_POST['sub'])) {
        $myusername = $_POST['txtusername'];
        $mypassword = $_POST['txtpassword'];
        $name       = stripslashes($myusername);
        $password   = stripslashes($mypassword);
        $myusername = mysql_real_escape_string($name);
        $mypassword = mysql_real_escape_string($password);
        $checklock = mysql_query("SELECT MUSE_LOCKED FROM $tbl_name WHERE MUSE_NAME='$myusername'");
        $checklock_result = mysql_result($checklock, 0);  //Returns the timestamp
        if ($checklock_result > time()) {  //If the time restriction is not over
            die(print("You must wait an hour to attempt to log in again!")); 
        } else {
        $sql        = "SELECT * FROM $tbl_name WHERE MUSE_NAME='$myusername' and MUSE_PWD='$mypassword'";
        $result     = mysql_query($sql);
        $count      = mysql_num_rows($result);
        if ($count == 1) {
            $_SESSION['login'] = "1";
            //Force the cookies to expire, since they have logged in successfully
            setcookie('auth_tries', '', time()-3600);
            setcookie('time_limit', '', time()-3600);
            header("location:Main_Dashboard.php");
        }
		else
		{
		    $_SESSION['error'] = "Incorrect username or password";
                    $num_tries++; //Increment $auth_tries to reflect the failed login attempt
                    setcookie('auth_attempts', $num_tries, $expire_time); //Update your 'auth_attempts' cookie
            header("location:Main_Login.php");
                }
        }
    }
?>

This script does the following:
-Uses cookies to determine whether the user has had more than 3 login attempts in a 15-minute period
-If the user has exceeded 3 attempts, they must wait an hour before their next login attempt
-After an hour, the user may login- no code is needed to unlock the user's account, since it is based on whether a timestamp has passed or not


For this to work, you need to update your DB's table to have a nullable field called MUSE_LOCKED to store the timestamp in the event that a user is locked out.

Let me know if this helped at all :)

-Ty

HI,
I'm just starting to use PHP, just don't understand how to implement this so that the login page is block for like 60 minutes from the above exemples,
How to I introduce this to my primary file that as the form in it.

Member Avatar for diafol

There's an article here: http://webcheatsheet.com/php/blocking_system_access.php

Haven't really looked at it, but it may be worth experimenting with. A problem that has always struck me with this approach is that an innocent user could be locked out due to a malicious user - however unlikely that may be. So, I'd introduce a challenge instead of a block, e.g. a captcha.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.