There is a simple password entry form. How to double the form processing time for one ip. Will it help protect against spammers and bots?

    4 answers 4

    In the session, keep the counter of unsuccessful attempts, and put sleep( pow(2,$count)) - with each attempt the pause will be more and more: 2, 4, 8, 16c ...

    After 10 unsuccessful, block the session, after 3 dozens of different blocked sessions from one ip - block ip (it means, the villain has guessed to reset cookies).

    With a general sharp increase in the number of unsuccessful attempts on the site, either revise the code or panic :)

    Upd. The mere doubling of time each time will not help much from bots. In Joomla, for example, is done like this. By issuing a form to enter a password, the site creates a session, and generates a unique parameter that is stored in the session. He is written as a hidden <input type="hidden"...> in the form for the password.

    The data came to the login - see if that hidden parameter matches the value that is stored in the session. If not, this request can be not processed further. Either this is a bot, or cookies are disabled.

    • and how to be to people with one ip (vpn, a proxy or from phone)? - zenith
    • one
      Session is the same. With a single IP, even a whole plant can go online, each will have an individual session. - Sergiks
    • bots usually sit without a session) and without cookies. - IVsevolod
    • And those who do not cook and session immediately go to the forest. When issuing a form for entering a password, a unique parameter is already written to the session. He must be present in the form of a hidden field in the form with a password. The password has come - we look: is there a parameter in the session that is equal to the one who came along with the form. Not? - "Bender, re-sign!" - Sergiks
    • and sleep at what level to put ?, on JS, PHP? - IVsevolod

    You can, without doubling, put sleep for a few seconds

    The second option is to measure the processing time (the same time() at the beginning and end of processing), and then put sleep / usleep / time_nanosleep with the amount of time spent processing the form.

    • one
      Yes, the first option every time you experience yourself when you go through SSH unsuccessfully. The password is correct - there are no problems, here is your terminal; wrong - if you please wait a couple of seconds. - Nikolai Kim

    As an option, store the time of form generation, and compare with the time when the data from the form came. If for example it took less than 3 seconds, then it was sent by the spammer, or bot)

    Time can be for example:

    • write to the database (preferred)
    • stored in session
    • write to the hidden field of the form (here it is better to defend yourself, and add a tricky hash from the time, if the hash from the time does not match the hash, then the date is changed)

      we check ip and session if there is no such we write to the ip base and session execute the script, we do the response with the done = true flag

      On the front end, if you’ve done as true on the submit button, set disabled