There is a simple password entry form. How to double the form processing time for one ip. Will it help protect against spammers and bots?
4 answers
In the session, keep the counter of unsuccessful attempts, and put sleep( pow(2,$count)) - with each attempt the pause will be more and more: 2, 4, 8, 16c ...
After 10 unsuccessful, block the session, after 3 dozens of different blocked sessions from one ip - block ip (it means, the villain has guessed to reset cookies).
With a general sharp increase in the number of unsuccessful attempts on the site, either revise the code or panic :)
Upd. The mere doubling of time each time will not help much from bots. In Joomla, for example, is done like this. By issuing a form to enter a password, the site creates a session, and generates a unique parameter that is stored in the session. He is written as a hidden <input type="hidden"...> in the form for the password.
The data came to the login - see if that hidden parameter matches the value that is stored in the session. If not, this request can be not processed further. Either this is a bot, or cookies are disabled.
Sergiks Sergiks
28.2k 3 38 78
- and how to be to people with one ip (vpn, a proxy or from phone)? - zenith
- oneSession is the same. With a single IP, even a whole plant can go online, each will have an individual session. - Sergiks
- bots usually sit without a session) and without cookies. - IVsevolod
- And those who do not cook and session immediately go to the forest. When issuing a form for entering a password, a unique parameter is already written to the session. He must be present in the form of a hidden field in the form with a password. The password has come - we look: is there a parameter in the session that is equal to the one who came along with the form. Not? - "Bender, re-sign!" - Sergiks
- and sleep at what level to put ?, on JS, PHP? - IVsevolod
|
You can, without doubling, put sleep for a few seconds
The second option is to measure the processing time (the same time() at the beginning and end of processing), and then put sleep / usleep / time_nanosleep with the amount of time spent processing the form.
Deleted
351 one five 13
iamsalnikov iamsalnikov
279 five 14
- oneYes, the first option every time you experience yourself when you go through SSH unsuccessfully. The password is correct - there are no problems, here is your terminal; wrong - if you please wait a couple of seconds. - Nikolai Kim
|
As an option, store the time of form generation, and compare with the time when the data from the form came. If for example it took less than 3 seconds, then it was sent by the spammer, or bot)
Time can be for example:
- write to the database (preferred)
- stored in session
- write to the hidden field of the form (here it is better to defend yourself, and add a tricky hash from the time, if the hash from the time does not match the hash, then the date is changed)
Deleted
351 one five 13
IVsevolod IVsevolod
6.369 3 20 45
|
we check ip and session if there is no such we write to the ip base and session execute the script, we do the response with the done = true flag
On the front end, if you’ve done as true on the submit button, set disabled
ragmon
858 3 12 27
Mikhail Malakhvei Mikhail Malakhvei
103 five
|