5 Replies Latest reply on Oct 30, 2007 1:29 PM by pamcorey

    lock out users after three failed login attempts

    pamcorey
      I used Dreamweavers login wizard to secure a directory in my application (using simple authentication). That all works fine but now I need to add the functionality where a user would be locked out (temporarily - using a session variable) after three failed login attempts. I've tried many ways but I can't figure it out. I've enabled session management in my application.cfm and set the sessiontimeout variable. Where do I put the code (and what code would that be) that counts the attempts and then freezes it after three failed attempts?

      This is the code in the mm_wizard_authenticate.cfc file:

      <cffunction name="simpleauth" access="private" output="false" returntype="struct" hint="Authenticate using a single username and password">
      <cfargument name="sUserName" required="true" hint="The username that was setup in the Login Wizard.">
      <cfargument name="sPassword" required="true" hint="The password that was setup in the Login Wizard.">
      <cfargument name="uUserName" required="true" hint="The username passed in from the client.">
      <cfargument name="uPassword" required="true" hint="The password passed in from the client.">
      <cfset var retargs = StructNew()>

      <cfif sUserName eq uUserName AND sPassword eq uPassword>
      <cfset retargs.authenticated="YES">
      <cfelse>
      <cfset retargs.authenticated="NO">
      </cfif>
      <cfreturn retargs>
      </cffunction>

      I'm thinking I need to add something like this (below) somewhere but I don't know where.

      <cflock scope="SESSION" timeout="3" type="EXCLUSIVE">
      <cfif NOT IsDefined("request.login") or request.login neq 1>
      <cflocation addtoken="No" url="mm_wizard_login.cfm">
      </cfif>
      </cflock>

      Any help gratefully appreciated. Thanks!
        • 1. Re: lock out users after three failed login attempts
          jdeline Level 1
          Something like this might work for you.
          • 2. lock out users after three failed login attempts
            Mamdoh_Alhabeeb
            I will suggest that you use the cookie. Every time the attempt fail, you will check if the cookie exists if it does than you will add 1 to the value.


            before you display the login screen, you will check the value of the cookie. if the value is more than 3 then you will only display a message indicating that the he/she can't logon.

            if the logon successful, then you need to reset the cookie value to zero.

            Also, in the application.cfm you need to do the following:

            <cfif isDefined('cookie.cfid') and isDefined('cookie.cftoken')>
            <cfset localcfid= cookie.cfid>
            <cfset localcftoken = cookie.cftoken>
            <cfcookie name="cfid" value="#localcfid#">
            <cfcookie name="cftoken" value="#localcftoken#">

            </cfif>

            The code above will clear the session information whenever the user close the browser and open it again.

            Good luck
            Mamdoh
            • 3. lock out users after three failed login attempts
              pamcorey Level 1
              Where in my code do I add this code, jdeline?
              • 4. Re: lock out users after three failed login attempts
                jdeline Level 1
                The top section goes at the top of the page on which you are doing the authentication. The bottom section goes after the authentication is checked.
                • 5. Re: lock out users after three failed login attempts
                  pamcorey Level 1
                  My first attempt at putting in your code resulted in locking myself out completely. My second attempt just doesn't lock at all. I'm thinking I have the items in the wrong place in the files or in the wrong files altogether.


                  Ok, in my mm_wizard_login.cfm file I have:

                  <cfinclude template="Application.cfm">
                  <cfinclude template="Application.cfc">

                  <cfparam name="errorMessage" default="">

                  <!--- output error message if it has been defined --->
                  <CFPARAM NAME="session.loginCount" DEFAULT="0">
                  <CFIF session.loginCount IS 3>
                  You have failed on 3 login attempts. Come back later.
                  <CFABORT>
                  </CFIF>

                  <cfif len(trim(errorMessage))>
                  <cfoutput>
                  <ul>
                  <li><font color="FF0000">#errorMessage#</font></li>
                  </ul>
                  </cfoutput>
                  </cfif>

                  <!--- This is the login form, you can change the font and color etc but please keep the username and password input names the same --->
                  <cfoutput>
                  <H2>Please Login to the Staff Awards Database.</H2>

                  <cfform name="loginform" action="#CGI.script_name#?#CGI.query_string#" method="Post">
                  <table>
                  <tr>
                  <td>User Name:</td>
                  <td><cfinput type="text" name="j_username" required="yes" message="A username is required"></td>
                  </tr>
                  <tr>
                  <td>Password:</td>
                  <td><cfinput type="password" name="j_password" required="yes" message="A password is required"></td>
                  </tr>
                  </table>
                  <br>
                  <input type="submit" value="Log In">
                  </cfform>
                  </cfoutput>


                  and then in my mm_wizard_authenticate.cfc file I have:

                  <!---- ////////////////////////////////////////////////////--->
                  <!---- Simple Authtentication --->
                  <!---- ////////////////////////////////////////////////////--->

                  <cffunction name="simpleauth" access="private" output="false" returntype="struct" hint="Authenticate using a single username and password">
                  <cfargument name="sUserName" required="true" hint="The username that was setup in the Login Wizard.">
                  <cfargument name="sPassword" required="true" hint="The password that was setup in the Login Wizard.">
                  <cfargument name="uUserName" required="true" hint="The username passed in from the client.">
                  <cfargument name="uPassword" required="true" hint="The password passed in from the client.">
                  <cfset var retargs = StructNew()>

                  <cfif sUserName eq uUserName AND sPassword eq uPassword>
                  <cfset retargs.authenticated="YES">
                  <cfelse>
                  <cfset retargs.authenticated="NO">
                  </cfif>

                  <cfreturn retargs>
                  </cffunction>


                  <!---- ////////////////////////////////////////////////////--->
                  <!--- This method performs the <cflogin> call and in turn --->
                  <!--- calls the actual authentication method --->
                  <!---- ////////////////////////////////////////////////////--->
                  <cffunction name="performlogin" access="public" output="true" hint="Log a user in using either NT, LDAP, or Simple(a predifined username and password) authentication.">
                  <cfargument name="args" type="struct" required="true" hint="These are the parameters setup by the Login Wizard">
                  <cfset var x = "BA96585C95784E12FFEBDD0117FCAEBD">
                  <cfset var y = "6B3163D122DE19B5DCC2DEBDF70CAED5">
                  <cflogin>
                  <cfif NOT IsDefined("cflogin")>
                  <cfif args.authLogin eq "challenge">
                  <cfheader statuscode="401">
                  <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
                  <cfelse>
                  <cfinclude template="#args.loginform#">
                  </cfif>
                  <cfabort>
                  <cfelse>
                  <cftry>
                  <cfif args.authtype eq "NT">
                  <cfinvoke method="ntauth"
                  returnvariable="result"
                  nusername="#cflogin.name#"
                  npassword="#cflogin.password#"
                  ndomain="#args.domain#" >

                  <cfelseif args.authtype eq "LDAP">
                  <cfinvoke method="ldapauth" returnvariable="result"
                  lStart="#args.start#"
                  lServer="#args.server#"
                  lPort="#args.port#"
                  sUserName="#args.suser#"
                  sPassword="#args.spwd#"
                  sQueryString="#args.queryString#"
                  uUsername="#cflogin.name#"
                  uPassword="#cflogin.password#">
                  </cfinvoke>
                  <cfelseif args.authtype eq "Simple">
                  <cfinvoke method="simpleauth" returnvariable="result"
                  sUserName="#args.suser#"
                  sPassword="#args.spwd#"
                  uUserName="#cflogin.name#"
                  uPassword="#hash(x&cflogin.password&y,'SHA-1')#">
                  </cfinvoke>
                  </cfif>



                  <cfcatch>
                  <cfset errorMessage = "Your login information is not valid.<br>Please Try again.<br>If you have tried three times unsuccessfully you have been locked out. You may try again after 20 minutes.">

                  <cfif args.authLogin eq "challenge">
                  <cfheader statuscode="401">
                  <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
                  <cfelse>
                  <cfinclude template="#args.loginform#">
                  </cfif>
                  <cfabort>
                  </cfcatch>
                  </cftry>
                  </cfif>
                  <!--- validate if the user is authenticated --->
                  <cfif result.authenticated eq "YES">
                  <!--- if authenticated --->
                  <cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="user">
                  <cfelse>
                  <!--- if not authenticated, return to login form with an error message --->

                  <cfset errorMessage = "Your login information is not valid.<br>Please Try again.<br>If you have tried three times unsuccessfully you have been locked out. You may try again after 20 minutes.">

                  <CFSET session.loginCount = session.loginCount + 1>
                  <CFLOCATION URL="mm_wizard_login.cfm">

                  <cfif args.authLogin eq "challenge">
                  <cfheader statuscode="401">
                  <cfheader name="www-Authenticate" value="Basic realm=""MM Wizard #args.authtype# Authentication""">
                  <cfelse>
                  <cfinclude template="#args.loginform#">
                  </cfif>
                  <cfabort>
                  </cfif>
                  </cflogin>


                  </cffunction>