There is a simple password entry form. How to double the form processing time for one ip. Will it help protect against spammers and bots?
In the session, keep the counter of unsuccessful attempts, and put
sleep( pow(2,$count)) - with each attempt the pause will be more and more: 2, 4, 8, 16c ...
After 10 unsuccessful, block the session, after 3 dozens of different blocked sessions from one ip - block ip (it means, the villain has guessed to reset cookies).
With a general sharp increase in the number of unsuccessful attempts on the site, either revise the code or panic :)
Upd. The mere doubling of time each time will not help much from bots. In Joomla, for example, is done like this. By issuing a form to enter a password, the site creates a session, and generates a unique parameter that is stored in the session. He is written as a hidden
<input type="hidden"...> in the form for the password.
The data came to the login - see if that hidden parameter matches the value that is stored in the session. If not, this request can be not processed further. Either this is a bot, or cookies are disabled.
As an option, store the time of form generation, and compare with the time when the data from the form came. If for example it took less than 3 seconds, then it was sent by the spammer, or bot)
Time can be for example:
- write to the database (preferred)
- stored in session
- write to the hidden field of the form (here it is better to defend yourself, and add a tricky hash from the time, if the hash from the time does not match the hash, then the date is changed)
session if there is no such we write to the
ip base and
session execute the script, we do the response with the
done = true flag
On the front end, if you’ve
done as true on the
submit button, set