PHP Free

PHP Login Rate Limiter (Session Based)

A slightly more production-shaped login limiter that blocks repeated attempts over a lock window, returns consistent responses and gives you a cleaner place to evolve later into database or IP-backed rate limiting.

1 min read 60 lines Intermediate Updated: March 2026

Use case

Authentication hardening

Best for

Admin logins, account systems, portals

Drop-in level

Good starter, evolve later

Stack / dependencies

PHP 8+ Sessions

Compatibility

Traditional login forms AJAX logins

Usage notes

Put this near the top of your login handler, before checking user credentials against the database.

Why this exists

Brute-force protection is often skipped early, but it is one of the easiest wins for basic account hardening.

Integration steps

1 Start the session before running any rate-limit checks.
2 Run the lock check before querying the database.
3 Increment the failure count after a failed login attempt.
4 Reset counters immediately on successful login.
5 Later, move the store to MySQL or Redis if you need per-IP or cross-device controls.

Code snippet

Full version with formatting intact. Use “Copy stripped version” when you want a leaner base.

<?php
declare(strict_types=1);

session_start();

header('Content-Type: application/json; charset=utf-8');

function respond(int $status, bool $ok, string $message, array $extra = []): never
{
    http_response_code($status);
    echo json_encode(array_merge([
        'ok'      => $ok,
        'message' => $message,
    ], $extra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
    exit;
}

$maxAttempts = 5;
$lockSeconds = 15 * 60;
$now         = time();

$attempts    = (int)($_SESSION['login_attempts'] ?? 0);
$lockedUntil = (int)($_SESSION['login_locked_until'] ?? 0);

if ($lockedUntil > $now) {
    $remaining = $lockedUntil - $now;
    respond(429, false, 'Too many attempts. Please wait before trying again.', [
        'retry_after' => $remaining,
    ]);
}

$email    = trim((string)($_POST['email'] ?? ''));
$password = (string)($_POST['password'] ?? '');

if ($email === '' || $password === '') {
    respond(422, false, 'Please enter your email and password.');
}

// Replace this with your real credential check
$loginOk = false;

if (!$loginOk) {
    $attempts++;
    $_SESSION['login_attempts'] = $attempts;

    if ($attempts >= $maxAttempts) {
        $_SESSION['login_locked_until'] = $now + $lockSeconds;
        respond(429, false, 'Too many failed attempts. Please wait before trying again.', [
            'retry_after' => $lockSeconds,
        ]);
    }

    respond(401, false, 'Invalid login details.', [
        'attempts_remaining' => max(0, $maxAttempts - $attempts),
    ]);
}

unset($_SESSION['login_attempts'], $_SESSION['login_locked_until']);

respond(200, true, 'Login successful.');

Implementation notes

Session-backed limiting is simple but only covers a single client session.

For public-facing systems, combine this with IP-based logging and account lock policies.

Always avoid telling attackers whether the username or password was incorrect.

Security notes

Do not reveal whether the username exists.
Use password_hash() and password_verify() for credentials downstream.
Pair this with secure session cookies and CSRF protection on the form.

Related snippets

View all

PHP Free

Secure PHP Contact Form Handler

A more real-world contact form endpoint for bespoke PHP builds. Includes request method enforcement, CSRF validation, anti-bot checks, sane input validation, response helpers and a clean place to wire PHPMailer or your preferred provider.

PHP Free

PDO Bootstrap (db.php pattern)

A stronger db bootstrap for bespoke PHP apps. Uses static reuse, utf8mb4, disabled emulated prepares, clear exception handling and small helper structure that fits shared hosting as well as more advanced setups.

.htaccess Free

Apache Security Headers Snippet

A more practical security header baseline for bespoke sites. Includes strict transport guidance, clickjacking protection, content sniffing protection and a commented CSP starter you can tune later.

← Back to all snippets

Stack / dependencies

Compatibility

Usage notes

Why this exists

Integration steps

Code snippet

Implementation notes

Security notes

Tags

Related snippets

Secure PHP Contact Form Handler

PDO Bootstrap (db.php pattern)

Apache Security Headers Snippet

Cookie preferences