Results 1 to 10 of 10

Thread: [RESOLVED] Online 'Local' Publication Password Security

  1. #1
    Join Date
    Mar 2007
    Cotswolds, England

    resolved [RESOLVED] Online 'Local' Publication Password Security

    I have been asked by a friend that produces a local online publication (small island) if there is a mechanism to stop registered users (paid a subscription) from passing around passwords to other non-registered users?
    IP Address's were mentioned etc, but not convinced of that method...

    My quickie solution was to auto-generate passwords each month and email the registered user with the new password when the next publication was available. Therefore, stopping password hoarders, but it wouldn't stop users passing on the password.

    Any thoughts?



  2. #2
    Join Date
    Aug 2004
    I believe that most sites which try to control this do it by keeping track of the user's IP, and watching for patterns that indicate likely abuse: basically some frequency of IP address change, particularly changes indicating frequent changes in location (i.e. via a ip-to-location database). The trick here is determining how many changes over what amount of time should be flagged as password sharing versus annoying legitimate users who happen to travel a lot.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Join Date
    Mar 2007
    Cotswolds, England
    Thanks, it's sounds as though I need a Cray Super Computer and a slice of neural networking.

    Perhaps a password, with a time-out period, could be auto-generated and emailed to the registered users email address. The password could be based upon the submitted IPAddress? Therefore when they try to sign-in the entered password could be verified against the users connection information, perhaps? lol


  4. #4
    Join Date
    Aug 2004
    Is the publication downloaded to the user? If so, the user could click a link, a token could be generated and saved in the db (uniqid()?), and put into a link emailed to the logged in user's address. Then clicking that link would take them to the download page if it correctly matches the ID saved for them in the DB, after which that ID would be marked as used so that it could not be used again by anyone.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Mar 2007
    Cotswolds, England


    The PDF version will be available for download a week later than the on-line content. That's a great idea so that they can't forward the email containing the unique link Token.

    Thanks for your replies again,


  6. #6
    Join Date
    Mar 2007
    Cotswolds, England
    Just to complete the thread....

    User clicks the publication edition link.
    email created and sent to user with a link with URL parameters of chksum and end datetime
    Checksum based on IPAddress, username and end datetime period (15 minute window)
    User clicks the link within the email, normal login procedural check, then validates the checksum and within link time out period.

    Thanks for your input.

  7. #7
    Join Date
    Jun 2008
    I know of a publication that gets away with a very annoying method...

    IBS Publishing - they publish very specific and useful material for the banking industry. It's also very expensive...

    Anyway, they have a special reader they install via a token which goes into ONE computer and one computer only. The documents cannot be copied nor printed, but must be read online. Nobody else can access them, you cannot take a screenshot.

    This seems to work - I don't recall what system they use.
    It is very annoying to users, but for very expensive and esoteric materials not available anywhere else, this might work.

    As above, you need to also be aware of how much of this your visitors/users will tolerate.

    You should also perhaps consider monitoring sites (with a script) like BugMeNot, where people will post passwords and share login details to sites. Shut down any publicized logins/passwords immediately.

    I have a friend with a dating site that found his logins and passwords posted there!

    Privacy Policy Generator

  8. #8
    Join Date
    Mar 2010
    Nobody else can access them, you cannot take a screenshot.
    Sorry for butting in , but out of curiosity, how can they disable the Print Screen (PrtScrn) key on anyone's keyboard or even stop anyone from taking a high resolution digital photo of what's on the screen

    ps.....maybe I've been watching too many James Bond movies.
    Last edited by tirna; 03-27-2010 at 07:58 PM.

  9. #9
    Join Date
    Aug 2003
    Sydney, Australia
    I'd go back to Nogdog's suggestion and record the IP address.

    We use the following in our CMS, not to stop password sharing, but to offer members an additional layer of security.

    PHP Code:
    //get the ip address
    if(!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    $xip $_SERVER['HTTP_CLIENT_IP']."ip";
         else if(!empty(
    $_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
    $xip $_SERVER['HTTP_X_FORWARDED_FOR']."proxy";
         else if(!empty(
    $xip $_SERVER['REMOTE_ADDR']."remote";
    $r rand();
    $xip "UNKNOWN.".$r;
    $xip is recorded in the user's record, along with their name, password, and an answer to one of ten of those stupid questions (eg; what was your first dog's name?).

    If the user logs on from a different IP address to the one recorded, the additional layer of security kicks in and asks them to answer that question. For you, I'd then get the incoming user to answer a different question, which means that even if the next user of the "borrowed" password was to try to log on, they wouldn't have the second answer.

    Also, when the "owner" of the password tries to next log on, because he's now logging on from an ip address that's different to the one used by the "borrower", he's going to be asked a question to which he doesn't know the answer.

    The reality is that even dynamic ip addresses change rarely, so if you tracked the number of times a different ip address was used, you'd be able to pick up users who were sharing passwords.

    Oh Lord, please help me be the person my dog thinks I am.

  10. #10
    Join Date
    Mar 2007
    Cotswolds, England
    I had to write a similar system where we had to register a copy of the software to a specific machine, hours of fun lol Interesting about BugMeNot, thanks.

    If you write in a low-level language that supports low level systems interrupts (hooks), anything is possible. Nit quite JB, boring though

    I like the solution. I will definitely use in the future. The only issue I have is it requires extra input information from users, but for other websites this is an ideal solution.

    Thanks to all.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.15404 seconds
  • Memory Usage 2,964KB
  • Queries Executed 15 (?)
More Information
Template Usage (34):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (10)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (73):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates