EasyCFM.COM ColdFusion Forums / Good Coding Tips! / cflogin failed attempts auto lock account

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: cflogin failed attempts auto lock account

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

Prodian
03-19-2009 @ 3:56 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
New Member
Posts: 13
Joined: Jan 2009

2 tables
One for usernames and passwords
One for logging failed logins (date_time, username, ip_address)

Application.cfm

<cflogin>
...check login here...
<cfif login passed>
Do this
<cfelse login failed>

<cfset todayDate = Now()>
<cfset month = #DatePart("m", todayDate)#>
<cfset day = #DatePart("d", todayDate)#>
<cfset year = #DatePart("yyyy", todayDate)#>
<cfset hour = #DatePart("h", todayDate)#>
<cfset min = #DatePart("n", todayDate)#>
<cfset sec = #DatePart("s", todayDate)#>
<!---LOG FAILED ATTEMPT--->
<cfquery name="update">  
INSERT INTO log
(date_time,username,ip_address)
VALUES
('#month#/#day#/#year# #hour#:#min#:#sec#','#cflogin.name#','#CGI.REMOTE_HOST#')
</cfquery>

<cfquery name="check">  
SELECT *
FROM log
WHERE username = '#cflogin.name#' AND ip_address = '#CGI.REMOTE_HOST#'
</cfquery>

<cfset right_now = '#month#/#day#/#year# #hour#:#min#:#sec#'>
<cfset attempt = 0>

<cfloop query="check">
<cfset offset = #DateDiff("N", check.date_time,right_now)#>
<cfif offset LT 15>
<cfset attempt = #attempt# + 1>
</cfif>  
<!---If there are 5 failed attempts within 15 mins lock the account--->
<cfif attempt EQ 5>
<cfquery name="update">  
UPDATE users
SET locked = 1
WHERE username = '#cflogin.name#'
</cfquery>
</cfif>
</cfloop>
<cfset loginmessage="Invalid Login">
<cfinclude template="login.cfm">  
<cfabort>
</cfif>
</cflogin>


I also have another piece that resets the account after 15 mins of the last failed attempt.  Put this after a successful login.


<cfif check.sec_level EQ 10 AND check.locked EQ 1>
<cfset todayDate = Now()>
<cfset month = #DatePart("m", todayDate)#>
<cfset day = #DatePart("d", todayDate)#>
<cfset year = #DatePart("yyyy", todayDate)#>
<cfset hour = #DatePart("h", todayDate)#>
<cfset min = #DatePart("n", todayDate)#>
<cfset sec = #DatePart("s", todayDate)#>

<cfquery name="check_log">  
SELECT MAX(date_time) as dt
FROM log
WHERE username = '#username#'
</cfquery>

<cfset right_now = '#month#/#day#/#year# #hour#:#min#:#sec#'>

<cfset offset = #DateDiff("N", check_log.dt,right_now)#>

<!---If 15 mins has pasted since the last failed attempt, unlock the account and proceed with login--->

<cfif offset GTE 15>
<cfquery name="update">  
UPDATE users
SET locked = 0
WHERE username = '#username#'
</cfquery>
</cfif>
</cfif>


I am going to work on blocking the IP for those who try to bruteforce the usernames.

This message was edited by Prodian on 3-19-09 @ 3:57 PM


Website Designed and Developed by Pablo Varando.