how to restrict user for 30 minutes after 3 invalid login attempts in vb.net code

Question

0.00/5 (No votes)

See more:

VB

how to restrict user for 30 minutes, after 3 invalid login attempts in vb.net code

Posted 16-Jul-12 21:17pm

sharma07

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

StianSandberg · Answer 1 · 2012-07-16T21:31:00

There is a few ways to do this.

1) Add a session variable with DateTime "banned" and check it to see if it's more then 30 min ago
Pros: Extremely easy to implement. Will not affect any other users.
Cons: Extremely easy to bypass (close and reopen browser)

2) Add a cookie which expires after 30 minutes
Pros: Easy to implement. Will not affect any other users.
Cons: Easy to bypass. (just delete the cookie)

3) Create a table in your database keeping IP-address and DateTime for time "banned"
Pros: Difficult to bypass
Cons: A little bit more work to implement. Will potentially affect other users with same IP. (you can solve this by storing more info about user like user agent string, but it's not bullet proof)

4) Store UserId and when the login attempt failed in the database
Pros: Impossible to bypass
Cons: Can lock out a user which didn't try to log in. Ex if I try to log in with someone else's username. Some work to implement.

Alt 4 is the best solution here!

Stephen Hewison · Answer 2 · 2012-07-16T21:34:00

You need a storage location possibly SQL where you store the username and occurred time of a failed log in:

SQL

Username VARCHAR(255),
Occurred DATETIME

The the following SQL will give you the failed login count.

SQL

SELECT [Count] = COUNT(*) FROM dbo.FailedAttempts WHERE Username=@Username AND Occurred > DATEADD(MINUTE, -30, GETDATE())

You then need to build this into you login process so that if the user login fails you insert into the failed attempts table. If the password is valid you check the current failed attempts count and reject their attempt where it's too high.

how to restrict user for 30 minutes after 3 invalid login attempts in vb.net code

2 solutions

Solution 2

Solution 3

Add your solution here

Preview 0