www.webdeveloper.com
Results 1 to 5 of 5

Thread: block username sharing

  1. #1
    Join Date
    Aug 2006
    Posts
    76

    block username sharing

    What's a good way to track if a person is giving away his username and password to everybody?

    What can I do to account for dymanic ips?

    Thank you

  2. #2
    Join Date
    Dec 2005
    Posts
    2,984
    Can't do anything with IPs...it's not fair to the user. If I buy a username and password to your site from where I live (Canada), go on a business trip to China and try to login from internet access in that country, then shouldn't I be able to log in?

    Reasonably, the only thing to do is only allow one login with any given username at one time - like most member sites.

    Now if you get several 'successful' (e.g. correct password) requests from multiple IP addresses with a given username, while that given username is already logged in, then you can always ban it.
    I've switched careers...
    I'm NO LONGER a scientist,
    but now a web developer...
    awesome.

  3. #3
    Join Date
    Jul 2009
    Location
    Falls Church, Va.
    Posts
    780
    Bearing in mind that people visiting from office LAN's can go through a proxy with a single WAN IP, so technically be careful about banning unless it's blatantly obvious there is trouble.

    One approach to seeing if an account is being blatantly shared is to note the login time and geo-location of their IP such as country of origin and/or state/city. If two users login at roughly the same time, one from Canada and the other from China, common sense says it's unlikely it's one person. Just remember the limitations of banning by IP as noted earlier. Write a script that runs via cron daily, or one that prints a report and/or allows you to delete/ban those accounts. You'd geo-locate their IP and store the info in a database at registration and each login.

    This is an excellent API to help you geo-locate any IP, far better than installing a server resident script and database you'd need to maintain on your own to do the same as the API.

    Personally, prevention is the best approach. Everything from SSL/TLS to captcha to proper SQL injection prevention where necessary to session control techniques making sure an account can only be logged in once and sensibly idles out, etc. etc.

    -jim

  4. #4
    Join Date
    Dec 2005
    Posts
    2,984
    Yes, I wasn't clear enough when I said 'ban it' - I meant to say ban the user by banning the username, IP banning, as SrWebDeveloper pointed out, is pretty much useless.
    I've switched careers...
    I'm NO LONGER a scientist,
    but now a web developer...
    awesome.

  5. #5
    Join Date
    Aug 2006
    Posts
    76
    Sr,

    Thanks for the reply.

    As for tracking location. The best we could really do is track the city they are in correct? The user could potentially just be at another location within the city.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles