PDA

View Full Version : Block attempted hacks into other account????

civic3x98
03-17-2006, 10:35 AM
Hello,

I have a system that uses a 50 character string that is alphanumeric. When the user logs in, the username and password is compared in the db, and this string is compared to a file that is created to make sure the strings match.

Lets say, that a user wants to be sneaky and try and guess the string for another user, and is somehow successful. Which is the equiv to the other user logging into their account.

Is there a way I can store the hackers string and when they try to access the other users account, the hackers string is compared to the attempted hacked users string and the hacker is denied and sent elsewhere.

How can i do this? Are cookies involved?
erisco
03-23-2006, 05:58 PM
You are saying what exactly? If a hacker types in a valid username and password, there isn't a way for PHP to know who is doing it. All your script will care about are those two inputs. You could track IPs, however your users could only login from the same IP every time. If they don't have a static IP, or are not always at home, that is a problem.

Just make sure your users are informed on making secure passwords. If they lose the password to a keylogger, well there is nothing you can do.
andre88uk
03-24-2006, 07:58 AM
as in secure passwords i try to use a thing such as at least 8 chars multicase and containing letters something such as 5Tre61wq ....
beefa
03-24-2006, 06:11 PM
Gday mate,

The only thing you can do is remove the alphanumeric code from the URL bar and insert it into a session or cookie. That way, users cant "easily" change the code and access someone's account.

The other way is, set a field "locked" to 1 when a user logs out. On the login page, the field is set to 0 and the user is allowed to access the pages. When the user logs out, set the field back to 1.

If a "hacker" logs into their own account and changes the string, then the db will know the user didnt pass through the login page to access the account. See what im saying? Then you can set the "hackers" account (remember, he logged in and set a cookie) to 2, and hes denied access alltogether.

If the hacker cracks the password, theres nothing you can do.

Hope this helps,
Beefa