i want to block a user after three successive wrong password entry

i am working on my first web based project.so i m using simple servlets,jsp and html.
when a user logins ,he needs to provide a unique userid and password which is stored in db(mysql).
if the user entries a wrong password lets say 2 times and in third attempt he enters a different userid and again enters the wrong password then it should not block.
so three chances should be given to a particular userid.

suggest me the code.

Ideally, you can store this information in the session variable and see how many times the user tries to login, and then automatically fail him when he tries for the third time.
But this logic will fail if he/she tries to login everytime from a different instance of a browser [i mean, try loggin in once, close the broser, open it again, and then try]. hence you need to record the attampts in some persistant device, like the database. Does your db design have a provision for this ?

actually in my db i have two fields userid and password.
when user logins then first its userid is checked then its password is checked.
can you explain me through a code snippet

What I mean was, is there a field or some-composite field which would let me know how many wrong attempts has been made by the user....

actually let me explain you what i am doing

1>at my servlet the password and userid is extracted and stored in a bean class.
2>now i am sending the object of that bean class to another class called DAO(data access object)
3>when the userid is verified then again i start the session and send to another method of DAO class called passchek for password verification
4>when password is wrong then i invalidate the session and increment a static counter variable in the servlet.if counter=3 the i block the user

"static counter variable" sounds wrong - how would you handle multiple simultaneous users who have different numbers of invalid attempts? I think an additional field in the DB that keeps track of the number of *consecutive* unsuccessful login attempts would make sense. Remember to reset it to 0 after a successful login. You can also use that to block a user after too many unsuccessful attempts (if the value is 3, block the user).

Note that there is a problem with this approach that you need to think about. What if user "susann" mistypes her username as "susan" and tries to log in 3 times? If user "susan" also exists, then her account is now locked through no fault of her own. This would also constitute a denial-of-service attack if "susann" did that on purpose. Food for thought...

Saurabh.... it would be the same servlet that would service the requests for all users, not just the one you mean to track. So if you are maintaining a static variable in the servlet, how would you know that the stats captured are for which user ? hence that practice should be completely abandoned. You should probably look into this situation at a DB level.

can you suggest some trick....because i have been thinking over it since yesterday.
and because i am a newbie in java so i need your help

Two ways, that suddenly come to my mind :

1) If your DB design is not yet complete/not yet baselined, please make modifications so that you can keep track of how many times a user [based on his/her username] tried logging in without success.
2) Create a singleton class which wraps a Map implementation, which will keep track of the same, and update the values in that.

Item 2 will save you on time, since you dont have to keep updating a DB everytime, and hence improving on performance. But at the same time, if your userbase is huge, you can end up creating
a rather enormous Map. Choose any of this [or any better solution] based on the exact business requirements you have [ie user base, performance requirements etc.]

Either way, you need to turn the counter to zero, once the user was able to log in successfully.

dawn can you please explain me how to use singleton class in this case.

Don't get hung up on the singleton - just create a Map in the servlet's init method that stores the (username -> number of unsuccessful login attempts) pairs.

Ulf Dittmer wrote:Don't get hung up on the singleton - just create a Map in the servlet's init method that stores the (username -> number of unsuccessful login attempts) pairs.

Ulf, Why we need to have a map and which is created in init method? Rather why we need to stores these details??