I have just started using ionauth, and I am trying to implement the maximum login attempts feature.
Problem is, I can't seem to find any documentation regarding this function on the documentation.
I figured out the function to call to check if maximum login attempts exceeded was this
$this->ion_auth->is_max_login_attempts_exceeded()
I'd like to know what protection to do if login attempts are exceeded?
<ul>
<li>block the user for a specific time?</li>
<li>enforce a captcha?</li>
<li>both?</li>
</ul>
And if he enter a correct captcha (assuming I enforce captcha) or if the time runs out (assuming I stop login attempts for a specific time), how do I allow login's again?
It depends entirely on the design of your project, if it's some store or paid services provider, than you can think of implementing this and disallowing user to login for a minute or two, if it's your personal blog, I would suggest you not to implement this at all.
To force clear the attempts, if you need to, you can call
$this->ion_auth->clear_login_attempts($identity);
and to block user from trying to log in, you can make an if statement
if(!is_max_login_attempts_exceeded($identity)) {
// try to login
}
If you want to implement a captcha, you can change the if statement above to check if the captcha input was correct and use the code block above to make a decision whether to show captcha in your login form.
In any case, don't bother implementing this if you've never got brute forced before and if the information/actions that can be gathered/run by the hacker are not dangerous enough as it will simply annoy those, who simply forgot their password and try every password they have ever used before.