Sessions are unreliable because they rely on cookies, CAPTCHAs are regularly broken [including ReCAPTCHA]. The only reliable method is deceptively simple: ask a question. Don't use a math question because computers are surprisinglyadept at solving those for some reason. Great old standbys are things like:

会话不可靠，因为它们依赖于 cookie，验证码经常被破坏 [包括 ReCAPTCHA]。唯一可靠的方法看似简单：提出问题。不要使用数学问题，因为计算机出于某种原因非常擅长解决这些问题。伟大的旧备用是这样的：

• What is the fourth word in the sixth paragraph on this page?
• What is the name of the author of this site? [hint]

• 本页第六段的第四个字是什么？
• 这个网站的作者叫什么名字？[暗示]

This is stupid-easy to implement, and very difficult for a machine to solve.

这是愚蠢的 - 易于实现，而机器很难解决。

As for bute-forcing, try adding two fields to your user table, 'first_failed_login' [INTEGERunix timestamp or DATETIME] and 'failed_login_count'. [INTEGER]

至于强制执行，请尝试向用户表中添加两个字段，“first_failed_login” [ INTEGERunix timestamp or DATETIME] 和“failed_login_count”。[ INTEGER]

<?php
$bad_login_limit = 3;
$lockout_time = 600;

$first_failed_login, failed_login_count; // retrieve from DB

if(
    ($failed_login_count >= $bad_login_limit)
    &&
    (time() - $first_failed_login < $lockout_time)
) {
  echo "You are currently locked out.";
  exit; // or return, or whatever.
} else if( /* login is invalid */ ) {
  if( time() - $first_failed_login > $lockout_time ) {
    // first unsuccessful login since $lockout_time on the last one expired
    $first_failed_login = time(); // commit to DB
    $failed_login_count = 1; // commit to db
  } else {
    $failed_login_count++; // commit to db.
  }
  exit; // or return, or whatever.
} else {
  // user is not currently locked out, and the login is valid.
  // do stuff
}

This will make your login system recognize only 3 login attempts per user every 10 minutes.

这将使您的登录系统每 10 分钟仅识别每个用户 3 次登录尝试。

Do not rely on sessions or cookies, those trust the client and you should NEVER trust the client. I made a class that takes care of brute force attack protection in PHP.

不要依赖会话或 cookie，它们信任客户端，您永远不应该信任客户端。我创建了一个类来处理 PHP 中的蛮力攻击保护。

https://github.com/ejfrancis/BruteForceBlocker

https://github.com/ejfrancis/BruteForceBlocker

it logs all failed logins site-wide in a db table, and if the number of failed logins in the last 10 minutes (or whatever time frame you choose) is over a set limit, it enforces a time delay and/or a captcha requirement before logging in again.

它将站点范围内的所有失败登录记录在 db 表中，如果过去 10 分钟（或您选择的任何时间范围）的失败登录次数超过设定的限制，它会强制执行时间延迟和/或验证码要求在再次登录之前。

example:

例子：

 //build throttle settings array. (# recent failed logins => response).

 $throttle_settings = [

         50 => 2,            //delay in seconds
         150 => 4,           //delay in seconds
         300 => 'captcha'    //captcha 
];


 $BFBresponse = BruteForceBlocker::getLoginStatus($throttle_settings); 

//$throttle_settings is an optional parameter. if it's not included,the default settings array in BruteForceBlocker.php will be used

 switch ($BFBresponse['status']){

    case 'safe':
         //safe to login
         break;
     case 'error':
         //error occured. get message
         $error_message = $BFBresponse['message'];
         break;
     case 'delay':
         //time delay required before next login
         $remaining_delay_in_seconds = $BFBresponse['message'];
         break;
     case 'captcha':
         //captcha required
         break;

 }

Try to check that your are dealing with a real browser. Maybe some nasty java script challenges with random function names or something could block a lot of simple scripts, unless they remote control a real browser (which is not that uncommon), or evaluate the js/css correctly in the scraper script.

尝试检查您是否正在处理真实的浏览器。也许一些带有随机函数名称的讨厌的 java 脚本挑战或其他东西可能会阻止很多简单的脚本，除非他们远程控制真正的浏览器（这并不少见），或者在刮刀脚本中正确评估 js/css。

I would recommend to read further on this topic and test your solution against python mechanize or some other well known scraper tools.

我建议进一步阅读有关此主题的内容，并针对 python mechanize 或其他一些众所周知的抓取工具测试您的解决方案。

But one is for sure, there is no real solution against automatic attacks.

但可以肯定的是，对于自动攻击没有真正的解决方案。