block username sharing
What's a good way to track if a person is giving away his username and password to everybody?
What can I do to account for dymanic ips?
Can't do anything with IPs...it's not fair to the user. If I buy a username and password to your site from where I live (Canada), go on a business trip to China and try to login from internet access in that country, then shouldn't I be able to log in?
Reasonably, the only thing to do is only allow one login with any given username at one time - like most member sites.
Now if you get several 'successful' (e.g. correct password) requests from multiple IP addresses with a given username, while that given username is already logged in, then you can always ban it.
Bearing in mind that people visiting from office LAN's can go through a proxy with a single WAN IP, so technically be careful about banning unless it's blatantly obvious there is trouble.
One approach to seeing if an account is being blatantly shared is to note the login time and geo-location of their IP such as country of origin and/or state/city. If two users login at roughly the same time, one from Canada and the other from China, common sense says it's unlikely it's one person. Just remember the limitations of banning by IP as noted earlier. Write a script that runs via cron daily, or one that prints a report and/or allows you to delete/ban those accounts. You'd geo-locate their IP and store the info in a database at registration and each login.
This is an excellent API to help you geo-locate any IP, far better than installing a server resident script and database you'd need to maintain on your own to do the same as the API.
Personally, prevention is the best approach. Everything from SSL/TLS to captcha to proper SQL injection prevention where necessary to session control techniques making sure an account can only be logged in once and sensibly idles out, etc. etc.
Yes, I wasn't clear enough when I said 'ban it' - I meant to say ban the user by banning the username, IP banning, as SrWebDeveloper pointed out, is pretty much useless.
Thanks for the reply.
As for tracking location. The best we could really do is track the city they are in correct? The user could potentially just be at another location within the city.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)