Brute force attack: attacker anajaribu password nyingi kwa kutumia automated scripts.

Solution: Implement login attempt limiter ili:

Kuzuia login attempts nyingi kutoka IP moja au user account.

Lock account kwa muda au block IP baada ya failed attempts.

Goal: Enhance authentication security na kuzuia unauthorized access.

βš™οΈ 2. Database Setup (Optional for Tracking Attempts)
CREATE TABLE login_attempts (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50),
ip_address VARCHAR(50),
attempt_time DATETIME DEFAULT CURRENT_TIMESTAMP
);


Stores failed attempts for reference and limit calculation.

🧩 3. PHP Example – Simple Session-Based Limiter
<?php
session_start();

// Max attempts and timeout
$max_attempts = 5;
$lockout_time = 300; // 5 minutes in seconds

if(!isset($_SESSION['login_attempts'])) $_SESSION['login_attempts'] = 0;
if(!isset($_SESSION['last_attempt_time'])) $_SESSION['last_attempt_time'] = time();

if($_SESSION['login_attempts'] >= $max_attempts){
$remaining = $lockout_time - (time() - $_SESSION['last_attempt_time']);
if($remaining > 0){
die("❌ Too many failed attempts. Try again in $remaining seconds.");
} else {
$_SESSION['login_attempts'] = 0; // reset after timeout
}
}

if(isset($_POST['login'])){
$username = htmlspecialchars(trim($_POST['username']));
$password = $_POST['password'];

// Dummy check – replace with database verification
$correct_password = "secure123";

if($password === $correct_password){
echo "βœ… Login successful!";
$_SESSION['login_attempts'] = 0; // reset on success
} else {
$_SESSION['login_attempts']++;
$_SESSION['last_attempt_time'] = time();
echo "❌ Invalid credentials! Attempt ".$_SESSION['login_attempts']."/$max_attempts";
}
}
?>

<form action="" method="POST">
<input type="text" name="username" placeholder="Username" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<button type="submit" name="login">Login</button>
</form>


πŸ’‘ Maelezo:

Keeps track of failed attempts in session.

Locks user out for a defined timeout period after maximum attempts.

Can be extended to database-based tracking for multi-device protection.

πŸ”‘ 4. Best Practices

Limit login attempts per IP or user.

Use temporary lockout periods – e.g., 5–15 minutes.

Notify user via email if multiple failed attempts detected.

Combine with CAPTCHA after repeated failures.

Always hash passwords and use prepared statements.

βœ… 5. Hitimisho

Login attempt limiter ni essential security layer kwa PHP login systems.

Protects against brute force attacks and unauthorized access.

Combine with password hashing, CSRF tokens, session security, and HTTPS for full security.

πŸ”— Tembelea:

πŸ‘‰ https://www.faulink.com/

Kwa mafunzo zaidi ya PHP, login security, na brute force prevention.