Auto-lock out module after 3-5 unsuccessful logins

[tchangmian]

Hi, I would like to create an auto-lock out module where users are
unable to continue login attempt after 3-5 unsuccessful logins. In
addition, the user account are automatically suspended after
stipulated unsuccessful logins.
Is there any sample coding in ASP or Javascript for me to refer to??
Thanks alot!!!

 

[Evertjan.]

tchangmian wrote on 13 dec 2004 in microsoft.public.inetserver.asp.general:

Hi, I would like to create an auto-lock out module where users are
unable to continue login attempt after 3-5 unsuccessful logins. In
addition, the user account are automatically suspended after
stipulated unsuccessful logins.

First think, hangmian!

How can you determine the account user of an unsuccesful login ??

The best you can do is allowing a maximum logincount per ASP-session, [and
denying access to people without sesson cookies enabled, so without a
session]

Setting a deny cookie on the client is a nice but defeatable action.

Denying IP-addresses is NOT an option, IMHO.

 

[Mark Schupp]

Here is the gist of a simplistic mechanism we did for a client. It may or
may not be sufficient for your situation:

------before authenticating user-------

'attempts are stored in Application Variables by login id
nTry = Application(strLoginID)
If Not IsNumeric(nTry) Then
nTry = 1
Else
nTry = nTry + 1
End If

If nTry > 3 Then
Response.Redirect "../html/mp_acctlocked.html"
Else

-------code to authenticate user goes here-------

End If

If AuthenticateUser = 0 Then
Application.Contents.Remove(strLoginID) 'successful
Else
Application(strLoginID) = nTry 'failed, update try count
End If

You also need admin functions to unlock users.

A more robust mechanism would store the try count in a database along with a
timestamp so that locked accounts could be released automatically if
desired.

 

[Evertjan.]

Mark Schupp wrote on 13 dec 2004 in
microsoft.public.inetserver.asp.general:

If AuthenticateUser = 0 Then
Application.Contents.Remove(strLoginID) 'successful
Else
Application(strLoginID) = nTry 'failed, update try count
End If

So if I knew anothers username,
I could lock him out till doomsday or till server reset,
willingly or by accident?


So if I stumbled on another application variable's name,
unconnected to authentication, like an users-online counter,
I could change the content to 1,2 or 3,
willingly or by accident?

 

[Mark Schupp]

I didn't say it was perfect. I said it met the client's requirements. That
requirement (and probably the requirement that the OP has) was from an IT
department's security review and was non-negotiable. The potential that a
user could be locked out had to be accepted as the cost of limiting repeated
login attempts.

In that particular application all application variables had prefixes to
their names which would likely prevent collision with login IDs. So in that
case the "quick fix" using application variables was deemed acceptable. A
much better solution (and the one we will use should we include the feature
in the standard application) is to keep track of login attempts in the
database.