Is there anyway to prevent a viewer from viewing a certain page more than three times? I'm currently using cookies created with the JQuery Cookie plugin. So far it works well, but I know that the user can simply clear/erase cookies and access the page again. Is there any better alternatives to tracking and prevent users view more than once? Thanks.
You could require that the user authenticate before they can see the page at all. Then on the server side you could track how many times the given authenticated user has requested the page. I doubt that any other mechanism would not be circumventable.
How about capturing users IP Address and storing them and use a counter?
You would have to store it server side, probably by ip address in a database.
Related
I'm building a PHP webpage which has a Button to download an image. I want to restrict unsigned user to download this image 3 times only.
I don't want to use neither Session nor Cookies because the user can delete his cookies!
I want to use IP, so I used the $_SERVER global variable but the problem here is the IP Address is changeable. It's dynamic and change every period of time.
So What should I do?
Not all IPs are dynamic, this depends on the ISP. Your problem is identifying the user uniquely, which is impossible to do without requiring users to log in. No matter what you use, IPs, cookies, sessions, client side scripts to do browser fingerprinting or store tokens in the localStorage, a skilled used will always manage to get over your protections.
You can only make it difficult for the users:
run a client side script to create browser finger print - https://github.com/Valve/fingerprintjs2 - and send it to the server to help you identify the user
generate a server-side token and send it to the client and store it in the localStorage and send it back to the server
store the IP of the user in the DB
use session / cookies to add an extra layer of security
use an hidden iframe to load code from a different domain you own and add extra cookies from there (sometimes users don't delete all the cookies, just those for your site)
put captchas before the user can download an image so that you're not scrapped by bots
Using a combination of all the above will make it annoying for an user to download pictures from your site without creating an user account, but not impossible.
I am trying to figure out a secure way to limit access to web based application. It will be used only by few user for internal company usage and I need a secure way to provide access to login form only for those few people. I tried doing this by creating file 'user.txt' and wanted to save it to each personal computer of those future users, so the login page first checks if file_exists and than shows the login form, otherwise it redirects the visitor.. Unfortunately I could not manage with Windows 7 computer permissions or path to file, but the script always says the file doesn't exists.. So now, I need to find another way to lock the login page.. Any ideas what more secure than IP address ? How I can else indentify those 5-6 user's computers?
Thanks !
There is no reliable way to identify a particular computer.
The purpose of having a login form in the first place is usually to limit access to select people, and that is usually sufficient.
If you want to go a step further you could use (for authentication) SSL client certificates which would have to be installed on the client computers.
file_exists only works on the server, it can't access files on the user's machine... imagine the security risks that would result in.
Instead, if it's for internal company usage then the obvious first step is to limit access to people on the IP address belonging to the company. You can use $_SERVER['REMOTE_ADDR'] to get that information.
Next, it really doesn't matter how many people access the login form, since they need an account in order to log in. If you create the accounts yourself and require the user to change the password the first time they log in, then there is nothing to worry about.
You could also use http auth to avoid writing extra code for handling login forms. create a user with some password and distribute them to your internal network users.
Can you use htaccess and htpasswd? This is an easy way to make it safely.
If any site visitor fills the form without login to the application then if he visits
the site again from the same pc then he should be able to view his last filled
information.
But I do not have any idea how to do it.Its a PHP application.
Thanks
Gaurav
You can Track A record Of User's Ip So Its Value You Can Use When user filling up form
Cookies are probably the best option but you could do this with html 5, javascript and local storage.
One possible solution is to save the Information that the user provided into a cookie.
But cookies are handled by the browser and if the user has confed his browser to delete cookies after closing the info will get lost.
So it depends on the users browser setting if it will work.
(http://php.net/manual/de/function.setcookie.php)
Another Solution for newer Browsers would be to use the DOM Storage as Supercookie.
Or directly store the form information to the local storage.
Both are HTML5 features and not properly implemented in all browsers.
dom-storage-super-cookie
html5_webstorage
Store the information in cookies. Read those back when the user visits again from the same browser and prefill your form elememts.
One possible solution is the use of persistent cookies - they are attached to the browser and outlive sessions and Browser restarts. See https://en.wikipedia.org/wiki/HTTP_cookie#Persistent_cookie
These cookies can be denied and removed if the user wants to.
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.
There's a site with registered users area, they all have their own user/pass.
The problem is, some of then try to share the authentication info with others to help them finish their job.
There's no posibility to restrict by ip adress because there's a dynamic-ip provided for everyone.
What could be the best solution? store sessions in the database? how to restore if they don't logout properly?
Thanks
I usually let them ping-pong: A custom session_save_handler which stores the session in a database, with an extra field for user-id (session_id char, session_data blob, session_user int or char). A successful login-attempt destroys / deletes all other other sessions with that specific user-id, and you could even log the number of times this DELETE statement actually deletes rows, with a counter somewhere to block people clearly excessively 'deleting' sessions. People switching computers / locations / browsers still can get work done instantly after login, users sharing authentication will keep on logging each other out, and increasing your counter until some arbitrary limit you deem appropriate, in which case you can disable / lock out the account.
If some people are sharing their ilogin/password then there is little you can do.
You could detect that someone is connected from two different locations and then close both sessions, but that wouldn't solve the full problem.
I agree with Loïc Février that there is little you can do when they are sharing logins.
If you really want to restrict user access from multiple locations, when you detect 2 sessions of the same user you could send some sort of a code/passkey thru email and only the real owner of the account could continue.
There is no particularly efficient way. That said, one technique could also be to use a DB to store the last IP used to sign in on an account, ping the DB every X amount of time and if the client IP doesnt match the last IP used to login, end their session..
You could also track IPs used to access an account, and limit each user to say, three. If they want another (as may legitimately happen), or if they exceed this amount- you have to be contacted/approve. This is a passive method, but will ensure you are notified over suspected account sharing..
Business solution
Make guidelines that it's not allowed to share logins to anyone. Track all login operations and if you see concurrent access, block the user.
a) The blocked user will call you, crying his login won't work: Give second and last chance. If it's not taken -> tell the boss. If you're the boss -> fire.
b) The blocked user will not call you. I wonder how he could work now. -> tell the boss. If you're the boss -> fire.
Programming solution
On the login screen, set a flag (the IP address?) in the database that the user is logged in at the moment. On logout, reset the flag. If the user is logged in, don't allow login. If the user does not log out correctly, the flag will still be set. So define a timeout for the flag to. About 5 min should be OK. It would be no gain for anyone to share login, as he would always have to login again, when you perform a check on every page access.