What would be the best way to keep track of how many times the user has开发者_如何学Go attempted to log in? I.e. session data, database,temp file, or other?
Database would be best. Session wouldn't work, as the session is specific to the browser; if the attacker cleared their cookies between each attempt, your system would never count more than one failure. A temp file could work if you really don't want to use a database, but this sort of thing is really what databases are for.
I'd advise the following:
For immediate tracking, I'd opt for using a session variable. This is a fair trade-off as opposed to using files and databases. But it is only good for short-term tracking. That is, until the user leaves the browser or until the session times out.
For permanently keeping the records of log attempts, it is always best to go for the database approach. I usually have a separate table that tracks things like the IP, UserID, Date and Time, and add a CAPTCHA to strengthen the whole thing.
I believe using the database table is more efficient and easier to implement than using an external file. This is because you'd have to store the file in a safe location and set permissions to prevent bots and other programs from reading them. That's extra work.
Depends on how long you want to keep that information. If it's only useful for a limited period of time keep it in session data. If you need to store it fore more time use files (or a database). But remember that one isn't an user until he perform the login correctly, so you should save at least ip address in order to identify such login attempts .
精彩评论