password time limit

ptryk
(@ptryk)

18 years, 8 months ago

wondering.. (after perusing hte support site.. couldn’t find an answer to this..)

in pluggable-functions.php
there are some values for setting password time limit
setcookie('wordpressuser_'. $cookiehash, $username, time() + 31536000, $cookiepath);

1> .. is the 31536000 .. in miliseconds or seconds!?
2> .. does anyone know if it is as easy to limit the time the cookie is valid by changing this? ..
3> .. is there some standard way (= w/o hacking the php) to lock someone out after the standard 3 attempts?

thanks for any advice/help/personal experience!

Viewing 12 replies - 1 through 12 (of 12 total)

Pizdin Dim
(@pizdin_dim)

18 years, 8 months ago

1. the number is in seconds and should equate to 1 year.
2. yes, changing this to say 2592000 should equate to 30 days instead.
3. no, i don’t believe there is. you will have to hack login.php to keep a track of number of failures.

Thread Starter ptryk
(@ptryk)

18 years, 8 months ago

thanks!!!

Thread Starter ptryk
(@ptryk)

18 years, 8 months ago

1/2> yes, seconds .. yes it was that easy to change.

3> as the admin function seems to reside in login.php .. for posts/pages it seems it is actually located in : template-functions-post.php

let me run this by some of yall.. to build in some type of a 1.. 2.. 3 (more or less) strikes and you are out policy.. i assume the best way would be to create an array that would keep count of the number of tries made from an ip address for each post/page.. per time period. there weould then be a test at query time that would test to see if it was clear for access or not .. any thoughts / vulnerabilities?

Pizdin Dim
(@pizdin_dim)

18 years, 8 months ago

Although I haven’t done this in WP, I have done similar stuff elsewhere, like this:

Use a PHP session variable to keep a track of number of logins. When that exceeds the maximum you will allow, “deactivate” the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

Alex Mills
(@viper007bond)

18 years, 8 months ago

When that exceeds the maximum you will allow, “deactivate” the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

What if someone tries to log into your account 3 times? Then your account will be set to 0 and you’ll loose access to your own blog. That doesn’t sound like a good plan to me…

I’d just blacklist the IP from the login form for X hours + set a cookie that also blocks them.

Pizdin Dim
(@pizdin_dim)

18 years, 8 months ago

What if someone tries to log into your account 3 times? Then your account will be set to 0 and you’ll loose access to your own blog. That doesn’t sound like a good plan to me…

Yes, that’s certainly true and it will be a problem if you don’t have direct access to the MySQL database, either with SSH or something like phpmyadmin.

However, if you have direct database access, it’s actually an excellent security mechanism for exactly the same reasons you outline and that’s why I always do it that way.

Alex Mills
(@viper007bond)

18 years, 8 months ago

Whatever floats your boat, but I wouldn’t find it fun to have to go into my database every 5 minutes and have to re-admin my account if someone tries to login with my username. 🙂

BTW: what’s your blog URL if you have this on your blog? 😉

Thread Starter ptryk
(@ptryk)

18 years, 8 months ago

great comments guys! ..

i guesss I was leaning toward creating a database within wordpress..
(found this as well : http://www.as400pro.com/servlet/sql.tipView?key=1072&category=HTML )

wordpress (database) wp-postprotected (table) post_counter (how many tries .. set in admin options panel.. would be same for all posts/pages ) post_counter_time_in_effect (when would counter reset automatically .. set in admin options panel .. would be same for all posts/pages) post_time_penalty (how long an ip would be blocked .. set in admin options panel .. would be same for all posts/pages) wp-protected_post_id (table) ip_address (table) counter time_of_last_try_failed

so each protected post (posts &/or pages) would have a set of ip_addresses that each has a counter and time that they last tried and failed

sure someone could move to a new ip, etc.. but that seems to be able to be solved through a kind of throttle/choke on the system..e.g. if tries and fails > 10 in 10 min per post then lock down the page for some amount of time.

Pizdin Dim
(@pizdin_dim)

18 years, 8 months ago

Ptryk: I think I may have misunderstood your request: I thought you were talking about the login password but it seems you meant the page password. If that’s the case, forget what I said as it doesn’t really apply. What you’re proposing seems like a good model.

Viper007Bond: No, no blog. I’m talking about custom (typically ecommerce) websites that I build for the client here.

Thread Starter ptryk
(@ptryk)

18 years, 8 months ago

pizdin .. couldn’t the concept work just as well for the admin login? (assuming if the mechanisms were to lock you out you could go into the phpmyadmin? or gain access through ftp / server side?)

Pizdin Dim
(@pizdin_dim)

18 years, 8 months ago

Yes, it could but the “wp-protected_post_id” table would not be applicable. Perhaps another user-based one would be more appropriate. Or you could just do the session/user_level thing.

Thread Starter ptryk
(@ptryk)

18 years, 8 months ago

been looking into how to make this happen.. had a new/different thought: i am thinking that there really is no reason to apply the protection to a specific post/page/login.. why not have it simply track ip’s and if an ip makes say 3 login errors somewhere on the site within say 10 hours then that ip will get blocked from being able to try passwords?

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘password time limit’ is closed to new replies.

password time limit

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics