In this code I'm trying to ban client if he/she/it doing to much(10) login request for 3 minutes. The problem is after 3 minutes user must refresh the page 2 times. I can see the reason why it's enter into if statement but I can't find the solution. I feel like I've overcoded.
if($this->sessions->get_data("wrong_login")>10){
if(!isset($_SESSION["ban_time"])){
$this->sessions->set_data("ban_time", time());
}else
{
if(time() - $this->sessions->get_data("ban_time") > 180){ // 180 seconds
$this->sessions->remove("ban_time");
$this->sessions->remove("wrong_login");
}
}
// The message if user still banned
die("Banned for 3 minutes!");
}
I hope I can tell the problem..
EDIT: This code is the inside of the construct of register controller.
Before your IF statement, add another if statement that checks for ban_time session if the time is up, then set the wrong_login session to 0 if it is.
if($this->sessions->get_data("ban_time") < time())
{
$this->sessions->remove("ban_time");
$this->sessions->set_data("wrong_login", 0);
}
remove your else statement there.
also forgot to mention! when you set the ban time, it should be time() + 180.
if(!isset($_SESSION["ban_time"])){
$this->sessions->set_data("ban_time", time()+180);
}
use header function.
e.g.
header("Location: /path/to/some/file.php?error=Banned for 3 minutes.");
Then on the file.php you can do this:
<?php
// Parse error
$error = isset($_GET['error']) ? $_GET['error'] : '';
// Display error (if any) and stop executing the rest of the code.
if (!empty($error)) {
exit($error);
}
?>
This will not work if you already started to output...
Related
I've created this code so that the user will not redirect onto the next page again. I set the maximum value on votenow button to 1 and once the user click the button again the value on the votenow button will not be added anymore since its maximum is 1. Everything works fine except that the user can still access the nextpage though the maximum value on the button was reached. Here's the code.
<?php
$errors = array();
$db = mysqli_connect("localhost","root","","registration");
if(isset($_POST['votenow']))
{
$votenow ="0";
$votenow1="1";
if($votenow != $votenow1){
$votenow = "update users set votenow = votenow + 1 WHERE votenow=0 LIMIT 1 ";
$run_vote = mysqli_query($db,$votenow);
echo '<script type="text/javascript">alert("hello!");</script>';
header ("Refresh:2; url=renewsys3.php");
}
else{
echo '<script type="text/javascript">alert("oh not again!");</script>';
header ("Refresh:2; url=renewsys2re.php");
}
}
?>
Can you guys help me or is there any other way so that the user will not enter the next page again? Btw, this is a voting system
The best way to use session:
$_SESSION['votenow'] = 0;
if (isset($_SESSION['votenow'])) {
if (!$_SESSION['votenow']) {
//do something
} else { // means $_SESSION['votenow'] == 1
// do something else
}
}
Redirect the URL to a different page (maybe homepage or any page) If the maximum vote is reached.
Let that code run before any other code so that the page won't load of the condition is true. It'll redirect immediately.
i'm quite a beginner with PHP and i tried to make something to get xp when cliking the button. You just need to click and it gives xp, then it refresh the page to refresh the player's stat on screen.
<form method="post">
<p><input type="submit" value="Kill the mob" name="add20xp" /></p>
</form>
<?php
if (isset($_POST['add20xp']))
{
$add20xp =("UPDATE users SET exp = (exp + 20)");
$execadd20xp = mysqli_query($connection, $add20xp);
echo '<meta http-equiv="refresh" content="0.1" />';
}
?>
The problem is that i want to prevent the user from smashing the button to prevent bugs and things like that... I tried to put sleep(1) but i can just keep spamming, wait the seconds and it works so it's not very useful.
Thanks for the help !
Save the last time the update was done in session state. Then, only allow the button to be pressed after (last time + 2 seconds) (Two seconds was chosen since that was the suggested interval in your original question).
if (isset($_POST['add20xp'])) {
if (!isset($_SESSION['last_post'])) {
$_SESSION['last_post'] = 0;
}
$currtime = time();
if ($currtime > ($_SESSION['last_post'] + 2)) {
$_SESSION['last_post'] = $currtime;
// ... process the post.
$add20xp =("UPDATE users SET exp = (exp + 20)"); // fix this line
$execadd20xp = mysqli_query($connection, $add20xp);
echo '<meta http-equiv="refresh" content="0.1" />';
}
}
As #Martin noted above in his comment, you want to do the update only for the user who pressed the button, which is the meaning of the comment "fix this line."
If you want to disable the button for 3 seconds after the form is submitted you can use this:
if(sessionStogare.getItem('submitted') === true){
document.querySelector('input[type="submit"]').disabled = true;
setTimeout(function(){
document.querySelector('input[type="submit"]').disabled = false;
sessionStorage.removeItem("submitted");
}, 3000);
}
document.querySelector("body").onclick = function() {
sessionStorage.setItem("submitted", true);
};
We will note the submission in the sessionStorage and check, if the form has been submitted every time we load the page. Then, we will disable the button and enable it after 3 seconds.
Change your php page to this:
// the beginning of the page:
<?php
// start a SESSION
session_start();
// setup a $_SESSION variable
if (!isset($_SESSION["timestamp"]))
$_SESSION["timestamp"] = 0;
//
// now put the $_POST part
if (isset($_POST['add20xp'])) {
// check the time
$now = time();
if ($now - $_SESSION["timestamp"] > 2) {
// more than 2 seconds have passed since last $_POST
// update the time
$_SESSION["timestamp"] = time();
//
$add20xp =("UPDATE users SET exp = (exp + 20)");
$execadd20xp = mysqli_query($connection, $add20xp);
//
echo '<meta http-equiv="refresh" content="0.1" />';
exit;
} else {
// nothing, just let the page load like it is.
}
}
?>
Notice some important changes:
the use of $_SESSION vars -> these vars are stored and can be
retrieved at every page load -> you can use them to store the last
time an action took place
the $_POST part should be at the beginning
of the page -> otherwise after you send a form, you load the page ->
check the post -> then reload... it's not efficient
if you put the $_POST part at the beginning, you actually don't need the page reload with the meta tag -> because the data are already
updated
This question already has answers here:
How can I throttle user login attempts in PHP
(11 answers)
Closed 9 months ago.
So I have this code:
<?php
session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}
if(isset($_SESSION['count'])) {
$_SESSION['count']++;
$num = 3 - $_SESSION['count'];
echo $num.' login attempts left.';
if($_SESSION['count'] < 0)
{
session_destroy("count");
unset($_SESSION["count"]);
echo 'negative :/';
}
}
if($_SESSION['count'] == 3)
{
echo 'Your session is locked for 30 minutes.';
if(!$_SESSION['timeout'])
{
$_SESSION['timeout'] = time();
}
$st = $_SESSION['timeout'] + 180; //session time is 30 minutes
if(time() < $st)
{ }
elseif(time() >= $st) {
session_destroy("count");
session_destroy("timeout");
unset($_SESSION['count']);
unset($_SESSION['timeout']);
}
}
?>
Somewhere the is an error but I can't find it :(
I just need to limit the login attempts without using a database, just simple sessions.
Can you help me?
First of, your second if should be an else I think.
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
} else {
...
Otherwise the first statement will check if $_SESSION['count'] is unset.
If so it will set it to 0. Then for the second if it will be set and $_SESSION['count']++; will then alway increase this count to 1. So it will at least always be 1.
The second thing is that you don't decrease the count anywhere in the code.
So it will never reach 0.
If you explain more on what the exact error is, we could help you better.
Please keep in mind that session base authentication can be annuled using easy methods. E.g. visiting your site through tor or use a proxy every time the login limit has been reached.
You think a hacker is gonna store a session cookie and help you out?
You can't do brute-force protection using sessions. You need application state.
Here's my answer to a previous question: Block request for multiple unsuccessful logins for a period of time
You don't need to write to a file. Foreach time your user tries to login and it returns false. You should add +1 to your _SESSION['count']. Put that code into a function. Your _SESSION['count'] is global so when its 3 your user will be locked out.
I.m looking for a way in Php to have a Redirect expire on a said day.
The use for this is that I'm sharing file on a sever using the code below.
What I like is to have that redirect take them to a page that lets them know there time is up and they can see the Redirect anymore or tell I update the date of expire.
if (test){
---do something---
die("<script>location.href = 'http://file.here.com'</script>");
} else {
return false;
}
I have also try
function BeforeProcessList(&$conn, &$pageObject)
{
$target_date = new DateTime("05-01-2014");
$today = new DateTime();
if((int)$target_date->diff($today)->format('%r%a') >= 0)
{
header("Location: testview_list.php");
exit();
}
}
There are several scenarios for this case but i suggest to use session.
Use additional session to be taken once your privilege period is valid and make sure that you've already insert a date when a user get into that file along with value that indicate this user is allowed , for example,1 so you can change a value to ,for example,0 after specific period and that user will be denied automatically or redirected to another page
I got it to work.
<?php
// has this expired?
$expire_date = "2015-08-25"; // good until Aug 8/15
$now = date("Y-m-d");
if ($now>$expire_date) {
header("Location: http://yoursite.com/outoftime.html");
die();
}
// and now the unexpired part of the page ...
header("Location: http://yoursite.com/fileshare/");
die();
Thanks for the help guys
I need some help with some logic for my buying process on my website.
We have a 4 step buying process: results, customer details, payment details, order confirmation.
The results page simply outputs prices to the screen based on some query string parameters.
I then save lots of information to PHP Sessions variables for later use.
On the 2nd stage, the customer stage, I want to output some of these session variables to the screen which for the most part works.
In my code, one of the first things I do is check the existence of one of the session variables I set on the results page, just to check we are in business and the customers quote info is saving properly.
I have set up warning emails to myself to notify me when a user lands on either the customer or payment stage of the booking process but apparently the first session variable does not exist. I then display a friendly error message asking if they have enabled cookies in their browser.
We seem to be getting a lot of these warnings emails, alarmingly high. It doesn't feel like an accurate statistic of how many customers could arrive without cookies enabled.
The email alerts me of the current URL, the ref URL if there was one, the users IP address, and an output of all Session Vars they have saved (always none of course!)
I'm just stumped what to do next - are these really users or bots hitting the results page without cookies enabled which means they'll fail the test on the next page or could it be something else?
I have session_start() on the top of each of these buying pages so it's nothing like that.
Here's my customer page:
<?php
require_once "../includes/common.php";
$quoteShared = new quoteShared();
// Check if this is a direct page hit
if (requestSession("sessionnumber") == "") {
echo $quoteShared->directHit();
die;
common.php has session_start() at the top.
function requestSession($xParam) {
$value = "";
if (isset($_SESSION[$xParam]))
{
if ($_SESSION[$xParam] != "") {
$value = $_SESSION[$xParam];
}
}
return $value;
}
You can do it in javascript also, this way :
function cookiesAreEnabled()
{
var cookieEnabled = (navigator.cookieEnabled) ? 1 : 0;
if (typeof navigator.cookieEnabled == "undefined" && cookieEnabled == 0){
document.cookie="testcookie";
cookieEnabled = (document.cookie.indexOf("testÂcookie") != -1) ? 1 : 0;
}
return cookieEnabled == 1;
}
BEST WAY PHP
<?php
session_start();
if(!isset($_GET['testing'])){
setcookie('cookietest', 'somevalue', time()+3600);
header("location: cookie.php?testing=1");
}else{
if(isset($_COOKIE['cookietest']) && $_COOKIE['cookietest'] == 'somevalue'){
echo 'cookie enabled';
}else{
echo 'cookie not enabled';
}
}