I have been working on login system for my app. After doing some research I saw that the best practice now days might be to lock the user account after some number of failed logins. This will prevent unauthorized users from trying/guessing password multiple times in a row. I'm wondering what would be the best way to implement this feature in my system? I have SQL 2008 to communicate to my database and ColdFusion 2016 on the back end. My query that will check username or IP and maybe sessionID looks like this:
SELECT COUNT(LoginID) AS count
FROM FailedLogins
WHERE LoginUN = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.username#" maxlength="50">
OR LoginSessionID = <cfqueryparam cfsqltype="cf_sql_varchar" value="#SESSION.sessionid#" maxlength="50">
OR LoginIP = <cfqueryparam cfsqltype="cf_sql_varchar" value="#REMOTE_ADDR#" maxlength="20">
I'm not sure if I should be checking sessionID (J2EE session id). Also from the query results above I should be able to check if number of failed logins is 3 or greater then lock account for 5min or if it's 6 failed attempts or more 10min. Is there a good solution to implement this in coldfusion? I'm not sure what would be the best practice for this logic. If anyone can provide some example that would be great. Thank you.