I am trying to figure out a way to stop account sharing on a site that requires a login. To solve this I would want to base it on an individuals machine or ip. I know I could base this on a cookies, which could possible be deleted or an ip which could possibly be dynamic. Is there something that I am not thinking of? As of now I am thinking I would have to base it on a cookie that can only be rewritten so often with an ip.
Is this the only way to handle it or can someone point me in the right direction.
I would spend time looking into a system detecting account sharing instead of preventing. Not only do you not harm your average user logging in on a few locations, but it's also less time consuming and let's you be able to take more accurate action.
You can use your login / visit log for detection. More then one login in 5 minutes with distinct ip(s), the ip(s) used to login are from broad ISP's etc. etc.
Well, don't hobble your site without considering the consequences. The same person could be logging in from work, school, ips can change because of dynamic addressing, etc...
You could force each id to be logged in from a unique location (e.g. record each login in a table where certain fields comprise a unique key, and look for insertion exceptions). A login from a new location while the old location has been recently active could be set either to (a) fail at the new location, or (b) cause a failure at the old location, (c) inform the alternate location, (d) log somewhere. Also, providing a table of where you've logged in from, shown to the user in fine print, together with a blurb on the policy might aid in compliance among "honest" people.
Related
I have a security problem with a user who we've banned over and over. They continuously re-register to the site and use proxies to get around the IP Ban.
We use Phpmyadmin and sql databases for the user table and already have everyone that registers automatically set to "0" which means they are registered by not an admin.
I was wondering if there is a way to dynamically set this person's user level when they register a new screen name - because they use the same email address every time. We have most of the site protected so that they are required to login and have a set permission level to see things. So if possible, when they register another login name it automatically sets that specific user ONLY to whatever number I designate and identifies it by the email address they are entering.
Anyway to do that, or anyone have any better ideas?
One idea is to do what craigslist does to people. It is called ghosting. It is a good thing to google. Basically a user thinks they are posting, but no one else ever sees their stuff. When they go to the listing, wow it is there. When they go to the category, it is there.
I realize that CL is quite different than say a chat forum. And the user would be wondering why no one took offense to them calling someone a fatso, live. But for non-interactive, non-realtime environments, they would have no idea they are ghosted. Well, I shouldn't say that. Maybe their friend tells them they can't see it.
If they can pull off the proxy thing, creating a new email address would be a piece of cake. Don't tip them off to the ghosting, let them continue to do their thing, isolate, and ignore (if it is even possible).
good luck
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
I am trying to block a user's PC permanently from using my website. Until now what I did is banning the IP address and setting a cookie which will automatically ban the IP address, if it changes. However some tricky users are nevertheless deleting the cookie and resetting their router, so they can write harmful comments on my website. Is there any other way of banning a user, other than with IP ban and cookies?
I read this question: https://stackoverflow.com/questions/3159160/how-to-definitively-ban-a-user-from-my-website-or-almost but it is not what I am looking for.
You could use evercookie, which is a lot harder to get rid of, but identifying individual PCs with certainty is not really possible, and that's a very good thing because it would be the end of privacy.
No, there isn't. Any method you put in place can be worked around. You can identify a previous user by:
IP address - which changes automatically, and can be changed manually with something like Tor
Cookie - which can be deleted easily, as you said above
Login details - which would require you to block commenting for non-registered users, and blocked users could register with new details anyway. You could require pre-approving accounts.
Note that this is a very difficult thing to do. Even the biggest sites struggle with this - StackOverflow included. Ultimately, it's a trade-off between making it easy for good users and difficult for unwanted users - you, as the site owner, has to decide where the optimal experience lies.
One other option is to pay for comments moderation with something like Mechanical Turk or Freelancer.com.
Obviously, 100% authentication is impossible, aside from anything else someone could just go to an internet cafe or use a friends computer. But you could try making a few changes to your site if you have a big problem with this:
You could make users sign up to post, and even go so far as have new users comments not show up until they are approved, either by yourself or other trusted users.
You could try hellbanning, which means you flag a user as hellbanned, they can still log in and post etc. but their comments only show up for them no one else.
You could try automatically scanning posts for certain offensive terms (or whatever is relevant in this case) and then automatically delete or hold them until approved manually.
Spam intentional or otherwise is a tricky problem and anyone who completely solves it will likely become very rich.
One idea, often seen in phpBB like systems, is a role approach. You assign different abilities to guest or visitor users, from registered users, from trusted registered users. A basic scheme for it would be like this.
Guest
Requires CAPTCHA
Requires moderator approval
Registered users
Requires moderator approval
Trusted Registered Users
Can freely post comments
Your CMS affects the way this would be set up. The simplest (assuming it doesn't already support this) would be storing a few extra bits in the database indicating the role and checking that when posting.
Just get bastard's region with GEOIP functions and set some restriction for this region (for example premoderation/captcha/etc).
Also You can use "protection" from another services, which is more powerful. For example: connect Your site accounts with facebook acc and allow to comment only after getting facebook_id. It's pretty easy to ban user by facebook_id and hard+slow for bastard to create accounts for every Your ban ;)
I have some ideas about it but very basic and not complete. I wonder what is the best way to check if same PC/IP is logged with two different users and runs two instances of my website?
If two users have the same IP, they are either
on the same computer
in the same household, office or company with a shared internet connection
in the same Internet café
this is as far as you can get. Reliably detecting whether two sessions are on the same computer is close to impossible, as there is no metric that could help you tell.
If you want to battle fraud, you will need to use different methods.
First, let the server send a unique token (e.g. csrf token) when the page loads and each time the user interacts. Then, let each user interaction (post or request) include this token (and generate a new one).
When you get unexpected tokens from the same IP adress, you apply a second trick: add the mousevent timestamps to the request and log (to the millisecond) the time differences (henceforth dt) between the local server time and the timestamp that came with the token, with a certain error margin for the variation in delaytime.
In the case two instances are running on the same PC, dt will be equal for both unique tokens (that were generated during the most recent interaction or pageloading).
On another physical computer, the chance that the dt is the same (even within the error margin) as on another pc on the same IP adress is extremely small, so that you have a valid way of testing.
you can check the ip-address, user-agent, time-zone, activated plugins...
To avoid more than one users logged in from the same computer you can set cookies or transmit a session key on every link. (you have to combine the hash with the ip-address an user-information you get because of copying the link should not log in other users into the account the hash belongs to)
How do I prevent a user from logging in from 2 locations at the same time? A username and password can only be used by 1 person at the same time.
Please send me the code in PHP.
if (!$user->hasOpenSession()) {
$user->login();
} else {
$context->forwardToForbidden();
}
Update the users table on login with the the ip address and login time. Clear the ip on session timeout or if the user logs out. Check this ip address upon login to make sure its matches up. Only check $_SERVER['remote_addr'], you don't want to look at x-forwareded-for because that could be anything.
Keep a field in the database that keeps track of active sessions. We can give you other pointers, but without more effort and information on your part, it's impossible to provide code.
The problem with restrictions based on the IP address with which the user logged on is that, in some cases, it could be the same legitimate user from the same machine/browser but with distinct IP addresses.
One case (quite rare I suppose) could be a pool of HTTP proxies that would use distinct IP addresses to make requests to your server (even though the actual user/browser/machine is the same). Another case, which I think we might see more and more, is the case of mobile devices: a mobile device could potentially travel and re-associate with difference access points and networks, therefore jumping from one IP address to another. In this case, you'd have to force your user to log-on again every time. I'm not sure how big this problem is at the moment, but that could be possible for people travelling on trains or similar (depending on how they access their network).
I think a better solution could consist of destroying any other sessions/authentication cookies you have for that user whenever they log on or log out (and perhaps implementing a time-out if they forget to log out).