lock out users after three failed login attempts

Report · Oct 30, 2007

I used Dreamweavers login wizard to secure a directory in my application (using simple authentication). That all works fine but now I need to add the functionality where a user would be locked out (temporarily - using a session variable) after three failed login attempts. I've tried many ways but I can't figure it out. I've enabled session management in my application.cfm and set the sessiontimeout variable. Where do I put the code (and what code would that be) that counts the attempts and then freezes it after three failed attempts?

This is the code in the mm_wizard_authenticate.cfc file:

<cffunction name="simpleauth" access="private" output="false" returntype="struct" hint="Authenticate using a single username and password">
<cfargument name="sUserName" required="true" hint="The username that was setup in the Login Wizard.">
<cfargument name="sPassword" required="true" hint="The password that was setup in the Login Wizard.">
<cfargument name="uUserName" required="true" hint="The username passed in from the client.">
<cfargument name="uPassword" required="true" hint="The password passed in from the client.">
<cfset var retargs = StructNew()>

<cfif sUserName eq uUserName AND sPassword eq uPassword>
<cfset retargs.authenticated="YES">
<cfelse>
<cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>
</cffunction>

I'm thinking I need to add something like this (below) somewhere but I don't know where.

<cflock scope="SESSION" timeout="3" type="EXCLUSIVE">
<cfif NOT IsDefined("request.login") or request.login neq 1>
<cflocation addtoken="No" url="mm_wizard_login.cfm">
</cfif>
</cflock>

Any help gratefully appreciated. Thanks!

Report · Oct 30, 2007

Something like this might work for you.

In Response To Deleted User · Oct 30, 2007

Where in my code do I add this code, jdeline?

In Response To pamcorey · Oct 30, 2007

The top section goes at the top of the page on which you are doing the authentication. The bottom section goes after the authentication is checked.

In Response To Deleted User · Oct 30, 2007

My first attempt at putting in your code resulted in locking myself out completely. My second attempt just doesn't lock at all. I'm thinking I have the items in the wrong place in the files or in the wrong files altogether.

Ok, in my mm_wizard_login.cfm file I have:

<cfinclude template="Application.cfm">
<cfinclude template="Application.cfc">

<cfparam name="errorMessage" default="">


<CFPARAM NAME="session.loginCount" DEFAULT="0">
<CFIF session.loginCount IS 3>
You have failed on 3 login attempts. Come back later.
<CFABORT>
</CFIF>

<cfif len(trim(errorMessage))>
<cfoutput>
<ul>
<li><font color="FF0000">#errorMessage#</font></li>
</ul>
</cfoutput>
</cfif>


<cfoutput>
<H2>Please Login to the Staff Awards Database.</H2>

<cfform name="loginform" action="#CGI.script_name#?#CGI.query_string#" method="Post">
<table>
<tr>
<td>User Name:</td>
<td><cfinput type="text" name="j_username" required="yes" message="A username is required"></td>
</tr>
<tr>
<td>Password:</td>
<td><cfinput type="password" name="j_password" required="yes" message="A password is required"></td>
</tr>
</table>
<br>
<input type="submit" value="Log In">
</cfform>
</cfoutput>

and then in my mm_wizard_authenticate.cfc file I have:





<cffunction name="simpleauth" access="private" output="false" returntype="struct" hint="Authenticate using a single username and password">
<cfargument name="sUserName" required="true" hint="The username that was setup in the Login Wizard.">
<cfargument name="sPassword" required="true" hint="The password that was setup in the Login Wizard.">
<cfargument name="uUserName" required="true" hint="The username passed in from the client.">
<cfargument name="uPassword" required="true" hint="The password passed in from the client.">
<cfset var retargs = StructNew()>

<cfif sUserName eq uUserName AND sPassword eq uPassword>
<cfset retargs.authenticated="YES">
<cfelse>
<cfset retargs.authenticated="NO">
</cfif>

<cfreturn retargs>
</cffunction>





<cffunction name="performlogin" access="public" output="true" hint="Log a user in using either NT, LDAP, or Simple(a predifined username and password) authentication.">
<cfargument name="args" type="struct" required="true" hint="These are the parameters setup by the Login Wizard">
<cfset var x = "BA96585C95784E12FFEBDD0117FCAEBD">
<cfset var y = "6B3163D122DE19B5DCC2DEBDF70CAED5">
<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfif args.authLogin eq "challenge">
<cfheader statuscode="401">
<cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
<cfelse>
<cfinclude template="#args.loginform#">
</cfif>
<cfabort>
<cfelse>
<cftry>
<cfif args.authtype eq "NT">
<cfinvoke method="ntauth"
returnvariable="result"
nusername="#cflogin.name#"
npassword="#cflogin.password#"
ndomain="#args.domain#" >

<cfelseif args.authtype eq "LDAP">
<cfinvoke method="ldapauth" returnvariable="result"
lStart="#args.start#"
lServer="#args.server#"
lPort="#args.port#"
sUserName="#args.suser#"
sPassword="#args.spwd#"
sQueryString="#args.queryString#"
uUsername="#cflogin.name#"
uPassword="#cflogin.password#">
</cfinvoke>
<cfelseif args.authtype eq "Simple">
<cfinvoke method="simpleauth" returnvariable="result"
sUserName="#args.suser#"
sPassword="#args.spwd#"
uUserName="#cflogin.name#"
uPassword="#hash(x&cflogin.password&y,'SHA-1')#">
</cfinvoke>
</cfif>

<cfcatch>
<cfset errorMessage = "Your login information is not valid.<br>Please Try again.<br>If you have tried three times unsuccessfully you have been locked out. You may try again after 20 minutes.">

<cfif args.authLogin eq "challenge">
<cfheader statuscode="401">
<cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
<cfelse>
<cfinclude template="#args.loginform#">
</cfif>
<cfabort>
</cfcatch>
</cftry>
</cfif>

<cfif result.authenticated eq "YES">

<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="user">
<cfelse>


<cfset errorMessage = "Your login information is not valid.<br>Please Try again.<br>If you have tried three times unsuccessfully you have been locked out. You may try again after 20 minutes.">

<CFSET session.loginCount = session.loginCount + 1>
<CFLOCATION URL="mm_wizard_login.cfm">

<cfif args.authLogin eq "challenge">
<cfheader statuscode="401">
<cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
<cfelse>
<cfinclude template="#args.loginform#">
</cfif>
<cfabort>
</cfif>
</cflogin>

</cffunction>

Report · Oct 30, 2007

I will suggest that you use the cookie. Every time the attempt fail, you will check if the cookie exists if it does than you will add 1 to the value.

before you display the login screen, you will check the value of the cookie. if the value is more than 3 then you will only display a message indicating that the he/she can't logon.

if the logon successful, then you need to reset the cookie value to zero.

Also, in the application.cfm you need to do the following:

<cfif isDefined('cookie.cfid') and isDefined('cookie.cftoken')>
<cfset localcfid= cookie.cfid>
<cfset localcftoken = cookie.cftoken>
<cfcookie name="cfid" value="#localcfid#">
<cfcookie name="cftoken" value="#localcftoken#">

</cfif>

The code above will clear the session information whenever the user close the browser and open it again.

Good luck
Mamdoh

Adobe Community

lock out users after three failed login attempts