I've currently got a system with a user account and login system. I'm trying to implement a "lockout" function, so that after 3 incorrect password attempts, the user is locked out. Currently this only involves a popup window, and simply warns the user instead of locking them out. I'm trying to find a good way to do this, based around a timeout so after a set amount of time the user can try to access their account again.
One idea I have is to write the time of lockout to a text file, and then have the system check for the previous lockout time from this text file and allow login if enough time has elapsed, however this seems to be an inelegant way to solve this.
Is there any other ways that this could be done? thanks
Usually, you'll use a database with fields like
id
username
password
failedAttempts (int)
lastFailed (date)
lastLogin (date)
When they fail to login, you increment failedAttempts and save the time in lastFailed.
Then on login, you check if (failedAttempts < threshold) or ((now - lastFailed) > timeThreshold).
On login you reset failedAttempts = 0, and lastFailed = null