www.webdeveloper.com
Results 1 to 10 of 10

Thread: [RESOLVED] Online 'Local' Publication Password Security

  1. #1
    Join Date
    Mar 2007
    Location
    Cotswolds, England
    Posts
    105

    resolved [RESOLVED] Online 'Local' Publication Password Security

    Hi,
    I have been asked by a friend that produces a local online publication (small island) if there is a mechanism to stop registered users (paid a subscription) from passing around passwords to other non-registered users?
    IP Address's were mentioned etc, but not convinced of that method...

    My quickie solution was to auto-generate passwords each month and email the registered user with the new password when the next publication was available. Therefore, stopping password hoarders, but it wouldn't stop users passing on the password.

    Any thoughts?

    Thanks,

    Barton.

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,144
    I believe that most sites which try to control this do it by keeping track of the user's IP, and watching for patterns that indicate likely abuse: basically some frequency of IP address change, particularly changes indicating frequent changes in location (i.e. via a ip-to-location database). The trick here is determining how many changes over what amount of time should be flagged as password sharing versus annoying legitimate users who happen to travel a lot.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Mar 2007
    Location
    Cotswolds, England
    Posts
    105
    Thanks, it's sounds as though I need a Cray Super Computer and a slice of neural networking.

    Perhaps a password, with a time-out period, could be auto-generated and emailed to the registered users email address. The password could be based upon the submitted IPAddress? Therefore when they try to sign-in the entered password could be verified against the users connection information, perhaps? lol

    Thanks...

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,144
    Is the publication downloaded to the user? If so, the user could click a link, a token could be generated and saved in the db (uniqid()?), and put into a link emailed to the logged in user's address. Then clicking that link would take them to the download page if it correctly matches the ID saved for them in the DB, after which that ID would be marked as used so that it could not be used again by anyone.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Mar 2007
    Location
    Cotswolds, England
    Posts
    105

    Exclamation

    The PDF version will be available for download a week later than the on-line content. That's a great idea so that they can't forward the email containing the unique link Token.

    Thanks for your replies again,

    Barton.

  6. #6
    Join Date
    Mar 2007
    Location
    Cotswolds, England
    Posts
    105
    Just to complete the thread....

    Solution:
    User clicks the publication edition link.
    email created and sent to user with a link with URL parameters of chksum and end datetime
    Checksum based on IPAddress, username and end datetime period (15 minute window)
    User clicks the link within the email, normal login procedural check, then validates the checksum and within link time out period.

    Thanks for your input.

  7. #7
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,096
    I know of a publication that gets away with a very annoying method...

    IBS Publishing - they publish very specific and useful material for the banking industry. It's also very expensive...

    Anyway, they have a special reader they install via a token which goes into ONE computer and one computer only. The documents cannot be copied nor printed, but must be read online. Nobody else can access them, you cannot take a screenshot.

    This seems to work - I don't recall what system they use.
    It is very annoying to users, but for very expensive and esoteric materials not available anywhere else, this might work.

    As above, you need to also be aware of how much of this your visitors/users will tolerate.

    You should also perhaps consider monitoring sites (with a script) like BugMeNot, where people will post passwords and share login details to sites. Shut down any publicized logins/passwords immediately.

    I have a friend with a dating site that found his logins and passwords posted there!

  8. #8
    Join Date
    Mar 2010
    Posts
    2,803
    Nobody else can access them, you cannot take a screenshot.
    Sorry for butting in , but out of curiosity, how can they disable the Print Screen (PrtScrn) key on anyone's keyboard or even stop anyone from taking a high resolution digital photo of what's on the screen


    ps.....maybe I've been watching too many James Bond movies.
    Last edited by tirna; 03-27-2010 at 07:58 PM.

  9. #9
    Join Date
    Aug 2003
    Location
    Sydney, Australia
    Posts
    700
    I'd go back to Nogdog's suggestion and record the IP address.

    We use the following in our CMS, not to stop password sharing, but to offer members an additional layer of security.

    PHP Code:
    //get the ip address
         
    if(!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
         
    {
              
    $xip $_SERVER['HTTP_CLIENT_IP']."ip";
         }
         else if(!empty(
    $_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
         
    {
              
    $xip $_SERVER['HTTP_X_FORWARDED_FOR']."proxy";
         }
         else if(!empty(
    $_SERVER['REMOTE_ADDR']))
         {
              
    $xip $_SERVER['REMOTE_ADDR']."remote";
         }
         else
         {
            
    $r rand();
              
    $xip "UNKNOWN.".$r;
         } 
    $xip is recorded in the user's record, along with their name, password, and an answer to one of ten of those stupid questions (eg; what was your first dog's name?).

    If the user logs on from a different IP address to the one recorded, the additional layer of security kicks in and asks them to answer that question. For you, I'd then get the incoming user to answer a different question, which means that even if the next user of the "borrowed" password was to try to log on, they wouldn't have the second answer.

    Also, when the "owner" of the password tries to next log on, because he's now logging on from an ip address that's different to the one used by the "borrower", he's going to be asked a question to which he doesn't know the answer.

    The reality is that even dynamic ip addresses change rarely, so if you tracked the number of times a different ip address was used, you'd be able to pick up users who were sharing passwords.

    Cheers
    CTB
    Oh Lord, please help me be the person my dog thinks I am.

  10. #10
    Join Date
    Mar 2007
    Location
    Cotswolds, England
    Posts
    105
    @Donatello
    I had to write a similar system where we had to register a copy of the software to a specific machine, hours of fun lol Interesting about BugMeNot, thanks.

    @Tirna
    If you write in a low-level language that supports low level systems interrupts (hooks), anything is possible. Nit quite JB, boring though

    @ChesterTB
    I like the solution. I will definitely use in the future. The only issue I have is it requires extra input information from users, but for other websites this is an ideal solution.

    Thanks to all.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles