Closing browser after failed login 3 times
Sorry, this is a little out of the box, but: Don't do this. There are good reasons why things like window.close()
won't do it without a prompt. I admit that there are conceivable cases where this might be a good approach, but bypassing user control measures like this, you probably end up shooting in the foot, even if the target is good.
Several options for how this shooting can happen:
- You think it's a good idea to do it in your case, but yells, users don't think so. Even though you were confident that this would be the best usability you have ever thought of.
- Hackcound includes some things that break something else somewhere. In another browser. In the old version. With a specific browser plugin. With some unusual custom settings.
- A future browser version causes the attacker to fail, and you somehow created your interaction model to depend on the hackcount, even though you were sure that on one occasion you did an alternative approach ... only you didn't, to this one place because you yourself used the hackgound and didn't notice that you expected it to always work.
- Hackcound works great ... but only when you're watching. Under some pretty normal conditions that shouldn't affect it, it suddenly breaks something else and you end up spending days debugging some weird fringe problem that is ultimately caused by hackers. I mean, this hackcound didn't cause anything like that. It really shouldn't. But it happened.
source to share
I agree with Ilari Kajaste when he says, "Don't do it." The last thing the user wants is unsafe behavior. I've never come across a website that closes a window after invalid login attempts, so it's almost certainly going to confuse your users. Secondly, it will destroy any history the user has in their back button, which might interfere with some users.
When you get multiple failed logins, you can prevent them from logging in for a certain period of time (say 10 minutes). You can do this by saving the time of your third invalid login to your database and checking on subsequent logins how much time has passed since their last attempt. If it's under your doorstep, you don't even check the password. Just make sure you explain that someone cannot login 10 minutes after 3 failed logins.
source to share
- Protection against further attempts to log on to the server.
- Either redirect to the error page as Dorhan mentioned, or display the message "sorry, too many login attempts, please try again in an hour" on the login page rather than in the login / password field.
As SEO tells us, you really never want to coerce a user away from your site, in an SEO called Lost Return On Investment, the opposite of what you do for SEO.: P Redirect to another page on your own site. definitely preferable.
source to share