Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ColdFusion / Advanced Techniques / October 2007


Tip: Looking for answers? Try searching our database.

lock out users after three failed login attempts

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
pamcorey - 30 Oct 2007 14:55 GMT
I used Dreamweavers login wizard to secure a directory in my application (using
simple authentication).  That all works fine but now I need to add the
functionality where a user would be locked out (temporarily - using a session
variable) after three failed login attempts.  I've tried many ways but I can't
figure it out.  I've enabled session management in my application.cfm and set
the sessiontimeout variable.  Where do I put the code (and what code would that
be) that counts the attempts and then freezes it after three failed attempts?

This is the code in the mm_wizard_authenticate.cfc file:

<cffunction name="simpleauth" access="private" output="false"
returntype="struct" hint="Authenticate using a single username and password">
        <cfargument name="sUserName" required="true" hint="The username that was
setup in the Login Wizard.">
        <cfargument name="sPassword" required="true" hint="The password that was
setup in the Login Wizard.">
        <cfargument name="uUserName" required="true" hint="The username passed in
from the client.">
        <cfargument name="uPassword" required="true" hint="The password passed in
from the client.">
        <cfset var retargs = StructNew()>
       
        <cfif sUserName eq uUserName AND sPassword eq uPassword>
            <cfset retargs.authenticated="YES">
         <cfelse>
            <cfset retargs.authenticated="NO">
         </cfif>
         <cfreturn retargs>
     </cffunction>

I'm thinking I need to add something like this (below) somewhere but I don't
know where.

<cflock scope="SESSION" timeout="3" type="EXCLUSIVE">
   <cfif NOT IsDefined("request.login") or request.login neq 1>
    <cflocation addtoken="No" url="mm_wizard_login.cfm">
  </cfif>
</cflock>

Any help gratefully appreciated.  Thanks!
Reply to this Message
jdeline - 30 Oct 2007 15:24 GMT
Something like this might work for you.

<CFPARAM NAME="session.loginCount" DEFAULT="0">
<CFIF session.loginCount IS 3>
   You have failed on 3 login attempts.  Come back later.
   <CFABORT>
</CFIF>
...
...
<!--- execute the code below if the user does not authenticate --->
<CFSET session.loginCount = session.loginCount + 1>
<CFLOCATION URL="thisPage.cfm">
Reply to this Message
pamcorey - 30 Oct 2007 16:56 GMT
Where in my code do I add this code?
Reply to this Message
jdeline - 30 Oct 2007 17:50 GMT
The top section goes at the top of the page on which you are doing the authentication.  The bottom section goes after the authentication is checked.
Reply to this Message
pamcorey - 30 Oct 2007 21:30 GMT
My first attempt at putting in your code resulted in locking myself out
completely.  My second attempt just doesn't lock at all.  I'm thinking I have
the items in the wrong place in the files or in the wrong files altogether.
[hr]
[b]Ok, in my mm_wizard_login.cfm file I have:[/b]

<cfinclude template="Application.cfm">
<cfinclude template="Application.cfc">

<cfparam name="errorMessage" default="">

<!--- output error message if it has been defined --->
<CFPARAM NAME="session.loginCount" DEFAULT="0">
<CFIF session.loginCount IS 3>
   You have failed on 3 login attempts.  Come back later.
   <CFABORT>
</CFIF>

<cfif len(trim(errorMessage))>
    <cfoutput>
    [BULLET]
        [LI]<font color="FF0000">#errorMessage#</font></li>
    [/BULLET]
    </cfoutput>
</cfif>

<!--- This is the login form, you can change the font and color etc but please
keep the username and password input names the same --->
<cfoutput>
<H2>Please Login to the Staff Awards Database.</H2>

   <cfform  name="loginform" action="#CGI.script_name#?#CGI.query_string#"
method="Post">
      <table>
         <tr>
            <td>User Name:</td>
            <td><cfinput type="text" name="j_username" required="yes"
message="A username is required"></td>
         </tr>
         <tr>
            <td>Password:</td>
            <td><cfinput type="password" name="j_password" required="yes"
message="A password is required"></td>
         </tr>       
          </table>
      <br>
      <input type="submit" value="Log In">
   </cfform>
</cfoutput>
[hr]
[b]and then in my mm_wizard_authenticate.cfc file I have:[/b]

<!---- ////////////////////////////////////////////////////--->
     <!---- Simple Authtentication                                --->
     <!---- ////////////////////////////////////////////////////--->

       <cffunction name="simpleauth" access="private" output="false"
returntype="struct" hint="Authenticate using a single username and password">
        <cfargument name="sUserName" required="true" hint="The username that was
setup in the Login Wizard.">
        <cfargument name="sPassword" required="true" hint="The password that was
setup in the Login Wizard.">
        <cfargument name="uUserName" required="true" hint="The username passed in
from the client.">
        <cfargument name="uPassword" required="true" hint="The password passed in
from the client.">
        <cfset var retargs = StructNew()>
       
        <cfif sUserName eq uUserName AND sPassword eq uPassword>
            <cfset retargs.authenticated="YES">
         <cfelse>
            <cfset retargs.authenticated="NO">
         </cfif>

         <cfreturn retargs>
     </cffunction>
   
     
       <!---- ////////////////////////////////////////////////////--->
     <!--- This method performs the <cflogin> call and in turn  --->
     <!--- calls the actual authentication method               --->
     <!---- ////////////////////////////////////////////////////--->
     <cffunction name="performlogin" access="public" output="true" hint="Log a
user in using either NT, LDAP, or Simple(a predifined username and password)
authentication.">
         <cfargument name="args" type="struct" required="true" hint="These are the
parameters setup by the Login Wizard">
            <cfset var x = "BA96585C95784E12FFEBDD0117FCAEBD">
             <cfset var y = "6B3163D122DE19B5DCC2DEBDF70CAED5">
       <cflogin>
        <cfif NOT IsDefined("cflogin")>
            <cfif args.authLogin eq "challenge">
                <cfheader statuscode="401">
                <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard
#args.authtype# Authentication""">
            <cfelse>
                 <cfinclude template="#args.loginform#">
             </cfif>
             <cfabort>
        <cfelse>
              <cftry>
              <cfif args.authtype eq "NT">
                <cfinvoke method="ntauth"
                    returnvariable="result"
                    nusername="#cflogin.name#"
                    npassword="#cflogin.password#"
                    ndomain="#args.domain#" >

                    <cfelseif args.authtype eq "LDAP">
                        <cfinvoke method="ldapauth" returnvariable="result"
                          lStart="#args.start#"
                          lServer="#args.server#"
                          lPort="#args.port#"
                          sUserName="#args.suser#"
                          sPassword="#args.spwd#"
                          sQueryString="#args.queryString#"
                          uUsername="#cflogin.name#"
                          uPassword="#cflogin.password#">                   
                        </cfinvoke>
                    <cfelseif args.authtype eq "Simple">
                        <cfinvoke method="simpleauth" returnvariable="result"
                            sUserName="#args.suser#"
                            sPassword="#args.spwd#"                                          
                            uUserName="#cflogin.name#"
                            uPassword="#hash(x&cflogin.password&y,'SHA-1')#">
                        </cfinvoke>
                    </cfif>       
                   

           
                <cfcatch>
                    <cfset errorMessage = "Your login information is not valid.<br>Please Try
again.<br>If you have tried three times unsuccessfully you have been locked
out.  You may try again after 20 minutes.">
               
                <cfif args.authLogin eq "challenge">
                    <cfheader statuscode="401">
                    <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard
#args.authtype# Authentication""">
                <cfelse>
                     <cfinclude template="#args.loginform#">
                 </cfif>
                    <cfabort>                               
                </cfcatch>                   
                </cftry>
            </cfif>
                <!--- validate if the user is authenticated --->
              <cfif result.authenticated eq "YES">
                          <!--- if authenticated --->
                        <cfloginuser name="#cflogin.name#" password="#cflogin.password#"
roles="user">
                    <cfelse>
                        <!--- if not authenticated, return to login form with an error message
--->
                                               
                        <cfset errorMessage = "Your login information is not valid.<br>Please
Try again.<br>If you have tried three times unsuccessfully you have been locked
out.  You may try again after 20 minutes.">
                       
                        <CFSET session.loginCount = session.loginCount + 1>
<CFLOCATION URL="mm_wizard_login.cfm">
                                           
                <cfif args.authLogin eq "challenge">
                    <cfheader statuscode="401">
                    <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard
#args.authtype# Authentication""">
                <cfelse>
                     <cfinclude template="#args.loginform#">
                 </cfif>
                    <cfabort>                       
                  </cfif>
         </cflogin>

     </cffunction>
Reply to this Message
qateef - 30 Oct 2007 15:32 GMT
I will suggest that you use the cookie. Every time the attempt fail, you will
check if the cookie exists if it does than you will add 1 to the value.

e.x <cfif isDefined("cookie.#session.cfid#") and
isnumeric(cookie.session.cfid)>

before you display the login screen, you will check the value of the cookie.
if the value is more than 3 then you will only display a message indicating
that the he/she can't logon.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.