How to throttle login attempts - PHP & MySQL & CodeIgniter -
i'd able throttle login attempts based on failed attempts got questions.
should use mysql? (read strain db)
should throttle per user , system-wide or system-wide? (so stop normal people guessing passwords)
how should calculate threshold? (so automatically adapts changes/growth)
how should retrieve threshold? query/calculate on every fail or store on cache?
should use throttle? (read response sleep() end straining server)
does have sample code?
i'm quite new @ appreciate help! thanks
i implemented poor-man's throttling mechanism in phunction using apc alone, how use it:
// allow 60 requests every 30 seconds // each request counts 1 (expensive operations can use higher values) // keep track of ips remote_addr (ignore others) $throttle = ph()->throttle($ttl = 30, $exit = 60, $count = 1, $proxy = false); if ($throttle === true) { // ip exceded 30 requests in last 60 seconds, die() here } else { // $throttle float // number of requests in last 30 seconds / 30 seconds /* 1 req / 30 = 0,033 sec 5 req / 30 = 0,166 sec 10 req / 30 = 0,333 sec 15 req / 30 = 0,5 sec 20 req / 30 = 0,666 sec 25 req / 30 = 0,833 sec 30 req / 30 = 1 sec */ usleep(intval(floatval($throttle) * 1000000)); }
i use on front-controller , pass value routing method, that's story.
the bottom line if use apc you're able keep things fast in memory , little memory consumption because apc follows filo methodology. if need way higher timeouts may consider using that's not memory based though.
btw: mysql supports tables memory engine.
the problem sleep()
:
a typical apache web server php installed module eat 10 mb of ram per instance, avoid exceeding available ram there apache settings can configure limit maximum number of instances apache able start.
the problem when sleep()
, instance still active , enough requests end eating available slots start new servers, rendering web site inaccessible until pending requests completed.
there no way overcome php afaik, in end it's you.
the principle same system wide throttling:
function systemwide($ttl = 86400, $exit = 360) { if (extension_loaded('apc') === true) { $key = array(__function__); if (apc_exists(__function__) !== true) { apc_store(__function__, 0, $ttl); } $result = apc_inc(__function__, 1); if ($result < $exit) { return ($result / $ttl); } return true; } return false; }
Comments
Post a Comment