Fork me on GitHub

Prevent password trading  Bottom

Go to page 1 - 2 [+1]:

  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jan 27, 2003
    • Posts: 4
    Link to this post Posted: Jan 24, 2003 - 09:41 AM
    Hello, everyone:

    I am wandering if postnuke can check multiple login under one username/password. I am going to make an ebook site where only paid members can access the books. I don't want to see my current members sharing their passwords with many others. I don't mind if they just tell the password to a couple friends. I am worried that they will put it on the internet so that thousands of unpaid visitors can access my site.

    I want to know if postnuke can check and record the logins of users, so that it can prevent people logging in under the same username from many different places (IPs). Or at least it can give me a report telling me, say, today user A logged in from 100 different IPs.

    Is this feature already in current PN release? Or is there a hack for it? Any information would be very appreciated.

    Cheers!

    Jin
  • **unknown user**

    Softmore
    • Rank: Softmore
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 195
    Link to this post Posted: Jan 26, 2003 - 12:33 PM
    There is/was IP checking built into PN against the sessions, but it is disabled (the code is commented out). The problem is that AOL users seem to send a different IP address with each page request. Something more elaborate is therefore required to keep track of how many times someone is logged on. Also people behind firewalls can give this kind of IP checking a bit of a headache.

    It would be nice to be able to select the number of times each user can log in - once, twice, more - even have different levels for different users. It's a common thing to want to do with multi-user applications.

    JJ
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jan 27, 2003
    • Posts: 4
    Link to this post Posted: Jan 26, 2003 - 07:08 PM
    Thank you for your reply. I think your suggestion about counting each user's login times may be what I am looking for. Is there a mod for this? Or how can I add this function to PN? I am not very familiar with the coding of the whole system. Thanks.

    Jin
  • **unknown user**

    Softmore
    • Rank: Softmore
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 195
    Link to this post Posted: Jan 26, 2003 - 10:29 PM
    I'm sure it can be coded, but someone would need to do it. See if any of the core developers have it on their list...
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jan 27, 2003
    • Posts: 4
    Link to this post Posted: Jan 27, 2003 - 09:37 AM
    Can you or anyone else give me some insight about where to start? Thanks.
  • **unknown user**

    Softmore
    • Rank: Softmore
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 195
    Link to this post Posted: Jan 27, 2003 - 10:33 AM
    I think it needs to start with the design, then some experimentation and prototyping.

    It sounds obvious - and perhaps a little facetious - but session handling is a complex matter that is complicated more by the many variations in browsers out there.

    Some ISPs, such as AOL play tricks with the IP addresses, some browsers do not accept cookies and so need a 'sessid=...' query parameter added to each link. Other agents such as bots need to be given session-free access and certainly no 'sessid' query parameter as they would end up in the spidered URL.

    On top of this, a user may legitimately be logged on twice from behind a firewall - you can detect this with the session cookies, but if you know it's one person than is it still right to restrict them (probably - but perhaps it should be an option).

    Now if a user connects to another machine without first logging out the first - what then? Do they get blocked until the session times itself out? Do they need to reboot the original machine in order to log out? Does logging in from another location automatically end the older session? If so - then someone using the old machine with a session cookie there could play havoc as logged-in sessions keep logging each other out. Perhaps the user should be given a choice: "you are already logged in at xxx: do you want to be logged out, or try again later?"

    These are all issues that need to be thought about before touching a line of code. When you do get around to it though, pnSession.php is the main session-handling script.

    -- Jason
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jan 27, 2003
    • Posts: 4
    Link to this post Posted: Jan 28, 2003 - 06:56 AM

    judgej

    I think it needs to start with the design, then some experimentation and prototyping.

    It sounds obvious - and perhaps a little facetious - but session handling is a complex matter that is complicated more by the many variations in browsers out there.

    Thank you very much for the questions, Jason. I am thinking about these issues, too. But if it doesn't work one way, we can always choose a different approach.

    Quote

    Some ISPs, such as AOL play tricks with the IP addresses, some browsers do not accept cookies and so need a 'sessid=...' query parameter added to each link. Other agents such as bots need to be given session-free access and certainly no 'sessid' query parameter as they would end up in the spidered URL.

    This one, I don't know what to do about it. And seems PN doesn't deal with this issue, either. If I turn off the cookie setting in my browser, I can't pass the login page. I might be wrong, but I think PN doesn't provide sessid query parameter when browser doesn't support cookie.

    Quote

    On top of this, a user may legitimately be logged on twice from behind a firewall - you can detect this with the session cookies, but if you know it's one person than is it still right to restrict them (probably - but perhaps it should be an option).

    We can get around this problem by setting the login limit to, say, 10 in 24 hours, because it's unreasonable for a normal user to log in over 10 times in just 1 day. One way I am thinking is adding a new SQL table to track the user login count and time, then reset the count after 24 hours. I just don't know where I should insert the counting function.

    Quote

    Now if a user connects to another machine without first logging out the first - what then? Do they get blocked until the session times itself out? Do they need to reboot the original machine in order to log out? Does logging in from another location automatically end the older session? If so - then someone using the old machine with a session cookie there could play havoc as logged-in sessions keep logging each other out. Perhaps the user should be given a choice: "you are already logged in at xxx: do you want to be logged out, or try again later?"

    Even if we give a choice, they are still logging each other out. How about this: we check the pn_uid in sessions. If we find one uid is in more than 10 different sessions in the past 24 hours, we will disable the user for a certain time, say 2 days. Here I assume a user should not login 10 times in one day. So if I find someone is doing that, I will consider that user as a hacked one and being shared among many people.

    Quote

    These are all issues that need to be thought about before touching a line of code. When you do get around to it though, pnSession.php is the main session-handling script.

    I am also considering the pnUser.php file and I can't decide which one is better for this hack.

    Another thing, does PN detect brutal force attack? That is, can PN block the login if someone is trying different passwords without a successful login? I think many hackers are using this method to find the password.

    Thank you again for your help.

    Jin
  • **unknown user**

    Softmore
    • Rank: Softmore
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 195
    Link to this post Posted: Jan 28, 2003 - 09:03 AM
    Jin,

    I won't respond to each of your points - they are all equally valid. What I would say though, is that since there are probably as many variations on accepted 'rules of logging in' as there are people running PN sites, the rules should probably be applied through some plug-in module. I can imagine each new PN user coming up with a new idea in this area, that rules could be added to the module and this should not affect the core upgrades options of that user.

    No matter how many times someone thinks a legitimate user can log in during any period, there will always be a legitimate user that has very good reasons for doing so. Perhaps some permission setting can be used to reset the counts for certain users or groups of users?

    Quote

    I might be wrong, but I think PN doesn't provide sessid query parameter when browser doesn't support cookie


    That is quite correct. It ought to be available though. I have seen it on some sites - so people have got it working - but I can't for the life of me find those sites again.

    Brute force password checking has not been brought up here before, AFAIK. Again, a selection of rules that could be applied would be good. I'm not sure how easy it would be to implement though.

    -- Jason
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jun 26, 2009
    • Posts: 31
    Link to this post Posted: Apr 26, 2003 - 07:52 AM
    How dificult would it be to make it so the same user cannot be logged in at more than one machine? I mean, PN "knows" who is logged in ("online") right? Why not prevent someone from logging in with a username that is already logged in? If someone is sharing passwords, especially with a large # of people, there would eventually be multiple simultaneous login attempts. If a message could be sent to the admin when this happens, you could eventually figure out who's guilty and cancel the account. Just a thought... I'd like something like this for my site.

    ~hhlost
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Feb 10, 2003
    • Posts: 4
    Link to this post Posted: Apr 29, 2003 - 08:50 AM
    Sorry, wrong topic icon_redface
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jun 26, 2009
    • Posts: 31
    Link to this post Posted: Sep 09, 2003 - 09:14 AM
    Not sure what you mean frost3r, but if you're saying that my post was off topic, let me clarify:
    1) It would be very easy to make the PN system disallow two different people to be simultaneously logged in using the same username and password.
    2) This would at least reduce password trading and probably "Prevent password trading".

    ~hhlost
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jun 26, 2009
    • Posts: 6
    Link to this post Posted: Jun 23, 2004 - 07:42 AM
    Has anyone figured out a way to do this? Is there another free/cheap Content Managment System that offers this protection? My site is a paysite, and I don't want my users to share their passwords.

    Two of the expensive CMS's, membergate and visiongate, offer this protection but the cost is ridiculous: $3500 and $2000, respectively!

    I'd love to use postnuke, but I need to have a way to ban password traders. I really just need a way to only allow access to my site from two computers a day. Banning by IP address alone doesn't work because IP addresses change frequently, especially with dial-up customers.

    Maybe there's a way to do it with cookies: Create a cookie on the host at login. Allow two logins with no cookie on host. Upon a third login, if there's no cookie that matches that userID, prompt the user that they're suspended for suspected password sharing.
  • HalbrookTech
    HalbrookTech
    Developer
    • Rank: Developer
    • Registered: Dec 31, 1969
    • Last visit: Jun 01, 2010
    • Posts: 6859
    Link to this post Posted: Jun 23, 2004 - 07:49 AM
    My pnFirst Visit module could be modified to limit the number of logins.

    --
    Home Page | Find on Facebook | Follow on Twitter
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Jun 26, 2009
    • Posts: 6
    Link to this post Posted: Jun 23, 2004 - 08:03 AM
    Thanks for the response.

    Limiting the number of logins is not exactly what is needed. I don't care if a user logs-in 1 million times per day, as long as it's from the same machine. I want to limit same-ID logins from different machines. Are you saying your module can do this?
  • HalbrookTech
    HalbrookTech
    Developer
    • Rank: Developer
    • Registered: Dec 31, 1969
    • Last visit: Jun 01, 2010
    • Posts: 6859
    Link to this post Posted: Jun 23, 2004 - 08:13 AM
    There's no easy way to do it that way, what you may want to look in to is a specialty service to host the eBook.

    --
    Home Page | Find on Facebook | Follow on Twitter

Go to page 1 - 2 [+1]:

Users on-line

This list is based on users active over the last 60 minutes.