Cotton Rohrscheib

The Cotton Club Blog & Podcast

You are here: Home / Marketing & Tech / Locking Down Authentication Inside PHPRunner

Locking Down Authentication Inside PHPRunner

by Leave a Comment

One of the biggest challenges you face when building hosted applications is how to prevent brute force or guessed password authentications.  Especially given the number of warez type applications that are out there that allow unsavory users to do just that.  Well, I found a resource on Xlinesoft’s website that demonstrates how to do block a user after three unsuccessful attempts to login to your application.

This schema uses visitors IP address to store log attempts in the database and block access to to the login feature for 30 minutes after the third unsuccessful attempt. This schema involves Events function which is available in ASPRunnerpro 6.0/PHPRunner 5.0, I have reposted the processes involved for PHPRunner below, but you can find the ASPRunner notes here…

Step One:
In MySQL Server run the following script to create table in your database that logs login attempts. The box below demonstrates the MySQL command.

   1: CREATE TABLE `LoginAttempts`
   2: (
   3: `IP` VARCHAR(20) NOT NULL,
   4: `Attempts` INT NOT NULL,
   5: `LastLogin` DATETIME NOT NULL
   6: )

Step Two:

Open your PHPRunner project and go to the security tab and switch on the “Create Login Page” checklist.

Check the Username and password from database option and choose appropriate fields. If you have no table in which all of the login details are stored you have to create it.

Step Three:

Add three global events on the Events tab: BeforeLogin, AfterSuccessfulLogin, AfterUnsuccessfulLogin.  Below you will find the PHPRunner example for this:

   1: <?
   2: function BeforeLogin($username, $password)
   3: {
   4: //********** Custom code ************
   5: // check if this IP address is currently blocked
   6: global $conn;
   7: $sql = "select Attempts, LastLogin from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
   8: $rs = db_query($sql,$conn);
   9: $data = db_fetch_array($rs);
  10:  
  11: if (!$data || !strlen($data["LastLogin"]))
  12:   return true;
  13:  
  14: $atime = db2time($data["LastLogin"]);
  15: $time = mktime($atime[3],$atime[4],$atime[5],$atime[1],$atime[2],$atime[0]);
  16: $diff = (time()-$time)/60;
  17:  
  18: if ($data["Attempts"]>=3)
  19: {
  20:   if($diff<30)
  21:   {
  22:     echo "<p align=center><br><font color=red><b>Access denied for 30 minutes</b> <font></p>";
  23:     return false;
  24:   }
  25:   else
  26:   {
  27:     db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);
  28:     return true;
  29:   }
  30: }
  31: return true;
  32: }
  33:  
  34: function AfterSuccessfulLogin()
  35: {
  36: //********** Custom code ************
  37: // clear previous attempts
  38:  
  39: global $conn;
  40: db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);
  41:  
  42: }
  43:  
  44: function AfterUnsuccessfulLogin()
  45: //********** Custom code ************
  46: // increase number of attempts
  47: // set last login attempt timeif required
  48: {
  49: global $conn;
  50: $sql = "select * from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
  51: $rs = db_query($sql,$conn);
  52: $data = db_fetch_array($rs);
  53:  
  54: if($data)
  55: {
  56:   $attempts = $data["Attempts"]+1;
  57:  
  58:   if($attempts==3)
  59:     db_exec("update LoginAttempts set Attempts=" . $attempts . ", LastLogin=now() where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
  60:   else
  61:     db_exec("update LoginAttempts set Attempts=" . $attempts . " where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
  62: }
  63: else
  64:   db_exec("insert into LoginAttempts (Attempts,IP,LastLogin) values (1, '".$_SERVER["REMOTE_ADDR"] . "',NOW())",$conn);
  65: }
  66: ?>

Step Four:

You should finish the code generation / compiling process and upload your application.  It’s important to remember that by doing this, your visitors have to enter their username and password to gain access to the site. After the third unsuccessful login attempt, their IP addresses access will be denied for 30 minutes. When the visitor tries to login when the account is blocked they will see message saying access is denied.

Find out how to do this for ASPRunner also…

——————————————————————

There are a lot of other useful resources outlined for PHPRunner users in the Articles section on Xlinesoft’s website, you can find them here…

Please Drop Your Questions or Comments