Are there best practices for implementing anti-bot measures in login forms compared to contact forms in PHP applications?

Implementing anti-bot measures in login forms is crucial to prevent automated attacks on your application. Some best practices for implementing these measures include using CAPTCHA, honeypot fields, and rate limiting. In comparison, contact forms may not require the same level of security, but implementing some basic anti-bot measures can still be beneficial. 

// Example of implementing a CAPTCHA in a login form
session_start();
$secretKey = "YOUR_SECRET_KEY";
if(isset($_POST['g-recaptcha-response'])){
    $captcha = $_POST['g-recaptcha-response'];
    $response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=$secretKey&response=$captcha");
    $responseKeys = json_decode($response,true);
    if(intval($responseKeys["success"]) !== 1) {
        // CAPTCHA verification failed, handle accordingly
    } else {
        // CAPTCHA verification successful, proceed with login
    }
}

// Example of implementing a honeypot field in a contact form
if(!empty($_POST['email']) && empty($_POST['website'])){
    // Honeypot field is empty, proceed with form submission
} else {
    // Honeypot field is filled, likely a bot submission
}

// Example of implementing rate limiting in a login form
$ip = $_SERVER['REMOTE_ADDR'];
$loginAttempts = 3; // Number of allowed login attempts
$expirationTime = 60; // Time in seconds for rate limiting
$currentTime = time();
$loginAttemptsKey = 'login_attempts_' . $ip;

if(!isset($_SESSION[$loginAttemptsKey])){
    $_SESSION[$loginAttemptsKey] = 1;
} else {
    $_SESSION[$loginAttemptsKey]++;
}

if($_SESSION[$loginAttemptsKey] > $loginAttempts && $currentTime - $_SESSION['last_login_attempt'] < $expirationTime){
    // Rate limit exceeded, handle accordingly
} else {
    // Proceed with login attempt
}

Keywords

CAPTCHA reCAPTCHA CSRF token rate limiting honeypot

Related Questions