I am trying to limit the number of maximum login attempts. Here is what I am doing currently:
1.) Store the login counter in the session
2.) On every login attempt comparing the counter stored in the session
3.) If counter is smaller then maximum attempts >> increase the counter
4.) If the counter is equal to the maximum attempts >> compare the last access time of the session with current time.
If the difference is more than (say 20 minutes) then destroy the session (to allow the user to make attempts).
If the difference is less redirect to error page. This is all working fine, but this method fails even if the user is simply browsing the rest of the web-application(except the login page).
Now consider this:
One user has exceeded the max login attempts, so he decides to browse the rest of the application for 20 minutes. But even after 20 minutes the login attempt fails.
This is because the counter is stored in the session and with the same session the user is browsing the web-app, so the difference between last access time and the current time for the session is not greater than 20 minute hence it fails.
So how do I solve this problem.
Thank you.
You can use the session create time or store in the session the time when the user exceeded the login attemps. So use one of these times to compare with the last access time.