Snitz Forums 2000 - Login Flood Control

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 MOD-Group

MOD Add-On Forum (W/Code)

New Topic

Reply to Topic

Printer Friendly

Author

Topic

Page: of 2

cripto9t
Average Member

USA
881 Posts

Posted - 03 July 2009 : 13:23:02

Login Flood Control

This mod adds a login flood feature to your forums.

From the Readme

Description

Adds a login flood check to the forums

Users are given a specified number of attempts to login

Users that exceed the limit are redirected to the password recovery page if email is on or a warning page if email is off

Users that exceed the limit must wait a specified amount of time before attempting to login again

If a user tries to login during the waiting period, the waiting period starts all over and they are redirected to the password recovery page or login warning, depending on forum email

There is a grace period between login attempts

Features

Admin on/off switch

Admin sets login attempts

Admin sets waiting period

Admin on/off switch for grace period

Admin sets grace period

It uses session variables to keep track of failed login attempts and hold the delay and grace period times.

Installation: Easy (It took me about 4 minutes useing the Readme)

Download: Snitzbitz

I recommend useing the readme file to install the mod. If you have a problem you can double check your code changes by looking a the reference files, just search the file for "Login Flood to find the changes.

There is some code near the top of the "inc_header.asp" reference file. It is not part of the mod! I left it there for people who wanted to test the functionality of the mod. It gives you an idea of whats going on. It should be removed when you are through testing.

If you have questions ask them here but if you have a problem installing the mod, please start a new topic in the "Help: Mod Implementation" forum. Be sure to mention "login flood" in the title.

Have fun

_-/Cripto9t\-_

Edited by - cripto9t on 03 July 2009 13:33:09

Etymon
Advanced Member

United States
2385 Posts

Posted - 03 July 2009 : 17:08:24

Thank you for the offer, Cripto9t! Looks interesting!

golfmann
Junior Member

United States
450 Posts

Posted - 03 July 2009 : 17:23:34

thanks so much for this one! I don't know if they are bots or hackers or both, but we get hundreds of attempts a DAY sometimes. This oughtta fix em a little...

Edited by - golfmann on 03 July 2009 17:26:01

leatherlips
Senior Member

USA
1838 Posts

Posted - 03 July 2009 : 20:48:23

I've tried the mod and it works as advertised!

However, I have one small problem. I used a demo account to try the login process. I failed on purpose to login in the specified number of attempts. It then takes me to the password recovery page. But then I tried to log in with my admin account and it would not let me. It seemed to think my other account was the same one that failed to log in. Is that a cookie issue?

Also, on your password2.asp page, you need to add the parts in red below:

<%
'##########################################################################
'##                                                                      ##
'## Login Flood Control mod for Snitz Forums                             ##
'##                                                                      ##
'## This is not an original Snitz Forum file                             ##
'##                                                                      ##
'##########################################################################
%>

Edited by - leatherlips on 03 July 2009 20:55:43

leatherlips
Senior Member

USA
1838 Posts

Posted - 03 July 2009 : 21:35:35

Is it possible to have the final failed login attempt go to the password2.asp page even if email is enabled? I want them to know what happened and that they will have to wait. I've already changed my inc_header.asp page to direct them to log in, go to the password recovery page, and to tell them they only have a certain number a tries to attempt to log in.

I did this by changing my inc_header.asp page from this:

Response.Write "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Your username and/or password were incorrect.</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please either try again or register for an account.</font></p>" & vbNewLine
      else
         Response.Write "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>You logged on successfully!</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Thank you for your participation.</font></p>" & vbNewLine
      end if
      Response.Write "<meta http-equiv=""Refresh"" content=""2; URL=" & strReferer & """>" & vbNewLine & _

to this:

Response.Write "<p align=""center""><b><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Your username and/or password were incorrect.</font></b></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please either <a href=""login.asp"">try again</a> or <a href=""policy.asp"">register for an account</a>.</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>If you forgot your password, <a href=""password.asp"">click here</a>.</font></p>" & vbNewLine

      if cLng(intLoginFloodControl) = 1 then
       Response.Write        "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please note that if after " & intLoginAttempts & " login attempts you will have to wait " & intLoginCheckTime & " minutes before trying again.</font></p>" & vbNewLine
      else
      Response.Write       "" & vbNewLine
      end if

         Response.Write "<meta http-equiv=""Refresh"" content=""60; URL=" & strReferer & """>" & vbNewLine
      else
         Response.Write "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>You logged on successfully!</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Thank you for your participation.</font></p>" & vbNewLine
      end if
      Response.Write "<meta http-equiv=""Refresh"" content=""2; URL=" & strReferer & """>" & vbNewLine & _

Note: the part in red is because I have a version earlier than 3.4.07. If you have the newest version, you will want to change that part to register.asp.

Edited by - leatherlips on 04 July 2009 08:36:44

leatherlips
Senior Member

USA
1838 Posts

Posted - 04 July 2009 : 08:29:32

quote:
Originally posted by leatherlips

Is it possible to have the final failed login attempt go to the password2.asp page even if email is enabled?

Well I figured out a way to do it. The easiest thing to do but probably not the best was to change both references to password.asp in inc_func_common.asp to password2.asp.

if cLng(strEMail) = 1 then
                        Response.Redirect("password2.asp")
                    else
                        Response.Redirect("password2.asp")
                    end if

Edited by - leatherlips on 04 July 2009 09:27:57

cripto9t
Average Member

USA
881 Posts

Posted - 04 July 2009 : 09:37:13

You figured it out before I could reply :)

just replace

if cLng(strEMail) = 1 then
                        Response.Redirect("password.asp")
                    else
                        Response.Redirect("password2.asp")
                    end if

with


                        Response.Redirect("password2.asp")

I would suggest adding your message to password.asp. The code is the sub ShowForm() on line 225.

And your other question, it's an asp cookie thing :). The server still thinks you're the same guy that had all the failed attempts. It doesn't check your login info until the wait is over.

That's one purpose of the mod, to slow down login hits by hackers and maybe bots. The other is to remind legitamate users that there is password recovery (if email is on).

Thanks for the bug fix :). That's what happens when I make code changes after testing.

_-/Cripto9t\-_

leatherlips
Senior Member

USA
1838 Posts

Posted - 04 July 2009 : 09:41:39

Thanks for the response.

I have one more question. During the waiting period before you can log back in, if you close the browser and then reopen it you don't have to wait any longer. Is their a way to make the cookie wait the specified period of time even if the user closes and then reopens the browser? I was using IE8.

cripto9t
Average Member

USA
881 Posts

Posted - 04 July 2009 : 09:43:35

quote:
Originally posted by golfmann

thanks so much for this one! I don't know if they are bots or hackers or both, but we get hundreds of attempts a DAY sometimes. This oughtta fix em a little...

Let us know if it slows them down.

_-/Cripto9t\-_

golfmann
Junior Member

United States
450 Posts

Posted - 04 July 2009 : 14:09:20

Seems to have quite a bit ( so far)
Now, if I can only get the same in a regiter version... :)

leatherlips
Senior Member

USA
1838 Posts

Posted - 05 July 2009 : 19:36:28

I need a little help to the modification that I made.

I have this:

Response.Write "<p align=""center""><b><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Your username and/or password were incorrect.</font></b></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please either <a href=""login.asp"">try again</a> or <a href=""policy.asp"">register for an account</a>.</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>If you forgot your password, <a href=""password.asp"">click here</a>.</font></p>" & vbNewLine

      if cLng(intLoginFloodControl) = 1 then
       Response.Write        "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please note that if after " & intLoginAttempts & " login attempts you will have to wait " & intLoginCheckTime & " minutes before trying again.</font></p>" & vbNewLine
      else
      Response.Write       "" & vbNewLine
      end if

         Response.Write "<meta http-equiv=""Refresh"" content=""60; URL=" & strReferer & """>" & vbNewLine
      else
         Response.Write "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>You logged on successfully!</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Thank you for your participation.</font></p>" & vbNewLine
      end if
      Response.Write "<meta http-equiv=""Refresh"" content=""2; URL=" & strReferer & """>" & vbNewLine & _

The part is red is supposed to only work if they did not log in correctly. It seems to work for IE and Opera but when I tried it in Safari and Firefox it did not work. It seemed to instead do the part in green. Do I have the red part in the right place?

Edited by - leatherlips on 05 July 2009 19:44:27

cripto9t
Average Member

USA
881 Posts

Posted - 05 July 2009 : 20:15:46

Put your line before the "end if" above it ;o).

_-/Cripto9t\-_

leatherlips
Senior Member

USA
1838 Posts

Posted - 05 July 2009 : 20:37:47

Hmm. I tried that and it still refreshes after two seconds instead of 60 in Firefox and Safari.

leatherlips
Senior Member

USA
1838 Posts

Posted - 05 July 2009 : 22:10:05

I think I figured it out. It seems to be working correctly now. Here is what I did:

if strLoginStatus = 0 then
         Response.Write "<p align=""center""><b><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Your username and/or password were incorrect.</font></b></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please either <a href=""login.asp"">try again</a> or <a href=""policy.asp"">register for an account</a>.</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>If you forgot your password, <a href=""password.asp"">click here</a>.</font></p>" & vbNewLine
      Response.Write "<meta http-equiv=""Refresh"" content=""60; URL=" & strReferer & """>" & vbNewLine

      if cLng(intLoginFloodControl) = 1 then
       Response.Write        "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Please note that if after " & intLoginAttempts & " login attempts you will have to wait " & intLoginCheckTime & " minutes before trying again.</font></p>" & vbNewLine
      else
      Response.Write       "" & vbNewLine
      end if

      else
         Response.Write "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>You logged on successfully!</font></p>" & vbNewLine & _
               "<p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """>Thank you for your participation.</font></p>" & vbNewLine
         Response.Write "<meta http-equiv=""Refresh"" content=""2; URL=" & strReferer & """>" & vbNewLine
          end if

I moved my part in red to where it is now and I moved the part in green before the "end if".

Edited by - leatherlips on 05 July 2009 22:26:58

richfed
Average Member

United States
999 Posts

Posted - 06 July 2009 : 10:52:42

Question --

After the set number of failed log-in attempts, what exactly does the user see? I would like them to see something very similar to what leatherlips posted above in the 5th post. Is a change to inc_header the only necessary step?

leatherlips
Senior Member

USA
1838 Posts

Posted - 06 July 2009 : 11:03:42

quote:
Originally posted by richfed

Question --

After the set number of failed log-in attempts, what exactly does the user see? I would like them to see something very similar to what leatherlips posted above in the 5th post. Is a change to inc_header the only necessary step?

The way the mod is, after the number of failed log in attempts, the user will see the following:

1. If you have email enabled they will be taken to the your password.asp page.

2. If you have email disable, they will be taken to the password2.asp page which tells them they have exceeded the number of log in attempts and will have to wait the specified period of time.

Page: of 2

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.2 seconds.