This project was a job interview code test. The challenge was to complete the CakePHP getting started tutorial, extend it to add authentication and add the functionality to temporarily lock and account for a period of time if the wrong password is entered 3 times, the account should auto-unlock after a defined period. The point was to prevent brute force access to someone’s account.
My solution was done by adding two more columns in the users table: ‘attempts‘ (int) and ‘last_attempt‘ (datetime). Every time a user fails to login, ‘attempts‘ is incremented by 1 and last_time is set as the current time. If ‘attempts‘ is greater than 2, UserController checks if it has been more than 10 seconds from the last attempt, if yes ‘attempts‘ is set to 0 otherwise the system will present a message informing that the user is blocked. I didn’t use session, cookie or the request IP because I believe brute force attacks can work around these solutions.
Maybe the best solution would be mixing all techniques but for this test, that seemed enough.
The project can be tested on: