I was trying to do subscription system which is only for registered user. Till registration stage, I am okie. But I don't want user to share their username and password with others because of the paid content. How can i prevent ?
Check with IP, but what if they are on dynamic IP ? Using proxy ?
Store cookies can change ?
Can anyone please kindly suggest how can i prevent ? I know there's no 100% bullet proof, but somehow, alittle bit tight security system.
Language will be with php, mysql, javascript.
I recommend heuristics based approach -- if you detect something suspicious (eg. user connecting from many different IP-s) then you log this and this increments some counter in users's record, if the counter grows big enough, then you get notification and decide what to do.
It won't eliminate all cases of account sharing but hints you the problem users.
when your content is payed content, tell the users that they have to enter ther credit card informations every 10th login. I think this will stop them to share account. (When CC informations are wrong, the account will be closed).
Other idea: Limit the Sessions for one user to 2 - 3. They will think twice to share their credentials if they are not able to login when their friends are connected.
Related
So I have a site that let's you buy and download mp3's. The mp3's are all made by me. But when the user goes through the PayPal checkout process (I have buttons and IPN all setup already) my IPN script stores the order ID as well as the IP address of where the user bought the MP3 from. The IPN script generates a download link and emails that link to the users PayPal email.
So whenever the user clicks the download link, it takes the user to my download page. On the download page, it finds the download ID in the database as well as the order ID, the MP3 ID, and the IP Address the user was on when they purchased the MP3. Is it a good idea for me to have to verify the databases IP Address with the users current IP Address and let the user download it? I store the IP Address using:
getenv('REMOTE_ADDR') in PHP.
Or should I just skip any verification and let anyone who clicks on that link download the file?
alright, first of all you should think about the logic behind your question.
just as an example:
an user buys a song from your site. first question should be, if you allow him to access this download link temporarily (1,2,3 hours, days...) or is it just once possible to call that download link or is it lifetime garanteed that this user has access to it.
after you have set this basic information you can go ahead.
case 1 (temporarily access):
storing $_REMOTE_ADDR is a good beginning but what in case this user sits behind a vpn network, in a lan and so on... there are some more ways. you should read about HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED... and so on!
you even should have in mind that all $_SERVER attributes can be manipulated. So just as an advise: you should sanitize all variables before storing them into your database instead of trusting them blindly.
back to the issue: you have stored now the ip, for security reasons, okay. maybe you fear to get cheated. doesn't matter. your script generates a download-link that will be sent to the paypals email address. now you have two options:
first: an user has already verified through paypal and everthing is fine. so you dont need to fear anything.
in this case you should think of delimiting the time that an user has acces to your files. now imagine this user has a few million friends and you would be justin timberlake for example, than the user would sent the link that he has received to all of his friends that would try to access your server and download your files - assumed your servers hardware would do so!
so first of all a better way is to delimit the time to access the link for example for 1,2,3 hours... after buying - still not perfect but this would avoid the above.
If you restrict it further to the IP - assumed you will learn how to get that the right way - an user just can download your mp3s from the IP address where he bought it from. what when the user has a smartphone and wants to download it from anywhere else than home? am i right, that the users have to create an account to use your offers?
than the solution could be to store the frequency that a mp3 has downloaded by a certain user. here you could set a limit to 50 times, that should be quiet much for one song to download again and again and again.... you even get an overview if an user will be logged once or has this user published his login data for illegal sharing issues.
seccond: an user has not verified through paypal and tries to cheat on you. imagine he will create an account at paypal and leaves incorrect bank/account information. paypal would pay you first and tries to regain the money afterwards from an incorrect account information. when paypal has recognized that the information left in the user account are wrong they surely will cancel the whole transaction and regain it from your account. in the end you`ll be always the loser when accepting paypal. sorry.
and to be quiet honest to yourself: how are the chances to catch some people that try to cheat on you?! 0,0000000032423 percent maybe with an the whole risk on your site to lose much money for pursuing investigations.
I'm currently working on my Referral System, but I have a problem with protecting it of frauds.
Okay, here's how it works for now:
user registers and activate it's account
user now have access to the control panel and there is it's uniqe link in following format: domain.tld/ref/12345
when someone other click to user's link, he or she must to click a specific button to confirm that is not some kind of fraud (like "click here, you'll get $100" or something)
system writes visitor's IP in a database and some data to cookies to prevent re-pressing the button. User now have +1 point.
But, the problem is that visitor can change it's IP, clear cookies and hit button again. It takes a few seconds, and that's not OK, that's cheating.
How to prevent it? Is there some trick to get some unique computer ID or something can't be changed that easy?
Really the only options are to tie the process to something which is not so easily manipulated by the user - super cookies, browser fingerprints, OpenID, Email addresses and telephome numbers (the latter 2 using some sort of validaton step before a vote is counted)
The only way you can be certain a referred party does not reuse a referral code is for the original user to send different one-time-use-only referral URLs to each person. Once the code has been used, it is flagged as such in (or removed entirely from) your database so that it can not be used again.
How you prevent the original user from sending multiple links out to the same person is another matter - and not an easy one to resolve.
Who do you perceive to be the threat?
Although it's certainly not 100% accurate, you can still fingerprint visitors using for example a combination of their ip, browser user agent, and with some javascript you can even go for screen size or installed fonts. Using these pieces of information you can set up a system where you save the fingerprints in datatable and in the same record you store the session id (from the cookie). Now when a new visitor arrives you can test their fingerprint against the db of recent fingerprints with different visitor ids. If you find a large number of matching fingerprints (you define the threshold) with different sessions then you can alert for the possibility of fraud.
Cheers
How about storing the link with with the user when they navigate to the link. then in the database you will have the link and if the users has already been to the link then deny them. Seems like it could work then you wouldn't have to worry about the cookies etc...
I am trying to block a user's PC permanently from using my website. Until now what I did is banning the IP address and setting a cookie which will automatically ban the IP address, if it changes. However some tricky users are nevertheless deleting the cookie and resetting their router, so they can write harmful comments on my website. Is there any other way of banning a user, other than with IP ban and cookies?
I read this question: https://stackoverflow.com/questions/3159160/how-to-definitively-ban-a-user-from-my-website-or-almost but it is not what I am looking for.
You could use evercookie, which is a lot harder to get rid of, but identifying individual PCs with certainty is not really possible, and that's a very good thing because it would be the end of privacy.
No, there isn't. Any method you put in place can be worked around. You can identify a previous user by:
IP address - which changes automatically, and can be changed manually with something like Tor
Cookie - which can be deleted easily, as you said above
Login details - which would require you to block commenting for non-registered users, and blocked users could register with new details anyway. You could require pre-approving accounts.
Note that this is a very difficult thing to do. Even the biggest sites struggle with this - StackOverflow included. Ultimately, it's a trade-off between making it easy for good users and difficult for unwanted users - you, as the site owner, has to decide where the optimal experience lies.
One other option is to pay for comments moderation with something like Mechanical Turk or Freelancer.com.
Obviously, 100% authentication is impossible, aside from anything else someone could just go to an internet cafe or use a friends computer. But you could try making a few changes to your site if you have a big problem with this:
You could make users sign up to post, and even go so far as have new users comments not show up until they are approved, either by yourself or other trusted users.
You could try hellbanning, which means you flag a user as hellbanned, they can still log in and post etc. but their comments only show up for them no one else.
You could try automatically scanning posts for certain offensive terms (or whatever is relevant in this case) and then automatically delete or hold them until approved manually.
Spam intentional or otherwise is a tricky problem and anyone who completely solves it will likely become very rich.
One idea, often seen in phpBB like systems, is a role approach. You assign different abilities to guest or visitor users, from registered users, from trusted registered users. A basic scheme for it would be like this.
Guest
Requires CAPTCHA
Requires moderator approval
Registered users
Requires moderator approval
Trusted Registered Users
Can freely post comments
Your CMS affects the way this would be set up. The simplest (assuming it doesn't already support this) would be storing a few extra bits in the database indicating the role and checking that when posting.
Just get bastard's region with GEOIP functions and set some restriction for this region (for example premoderation/captcha/etc).
Also You can use "protection" from another services, which is more powerful. For example: connect Your site accounts with facebook acc and allow to comment only after getting facebook_id. It's pretty easy to ban user by facebook_id and hard+slow for bastard to create accounts for every Your ban ;)
I plan to prepare a gallery (in php) with a voting option. However, I've got security problems and do not know how to resolve them.
I would like it to be possible to vote only one time per 24 hours. I tried to use IP address verification, but depending on ISP it may change after reconnection. Cookies can be removed from the computer.
I considered another approach: sending an email to the person with a link that they click to vote. That would be saved in the db with 24 hour restriction for IP address and email address.
Unfortunately these options do not give a guarantee. Do you have any more security tips? Would you advise something else?
PS- A CAPTCHA seems nice, but users may not want to vote while experiencing any difficulties.
why not to allow vote only to registered.
This can be achieved through obscurity. As Subdigger and Oltarus stated, voting only to registered users are the only real way.
Most automated polling code only submit to the form directly. You can set a cookie and record the user activity to see if they actually visit the polling page before submitting.
I currently have a website built in PHP, I'm hoping to build a referral system tonight.
My theory is that if I dynamically generate a url and place it on my users' homepage such as
"Referral url = www.mysite.co.uk/referral.php?user=myuser"
Then I could have a script in the page referral.php which gets the username and runs an sql query updating their corresponding row in my table.
The only thing is anybody could then add there own name and sign up multiple accounts.
What is the best way to go about building something like this?
Thanks
Suppose to get the referral url my users had to click a button which generates the referral url as a rand ie mysite.com/refer.php?user=234234, at the same time storing it in a the db.
Once somebody visits the page refer.php, the referrer then gets his credits or benefit added to his row in the db, at the same time setting his referral code to 0, making the code only available once.
Each time he hits the button on his page, his referal code would change.
Would this be valid do you think?
You generally have the right idea, but protecting against fraud in a referral system is difficult. You can check for unique IP addresses in $_SERVER and add that to the database for each request, throwing away duplicates or limiting referrals from IP addresses that don't come from the user who signed up. Like HTTP_REFERRER, this can be spoofed as well with ease (using TOR for example).
It's a tough problem that isn't something you can truly "solve." Like most fraud cases, you can only do your best to mitigate the effect.
EDIT TO ADD: You can also require referrals to "mature" by forcing the referred user to be active on the site for a defined period of time (say, 30 days) to increase the effort of spammers/cheaters. But again, this doesn't "solve" the problem - all you can do is make it tougher for them to game the system. And occasionally, by doing this stuff, you can ruin user experience. So how do you balance it? Tough question. :)
EDIT TO ADDRESS YOUR EDIT: Contemplate the following scenarios if we implement your plan:
1) I click the button and get my code. Then I paste it to... who exactly? One person? That's not particularly good for sharing on Facebook, MySpace (does this exist?), or my personal blog. I have to generate a referral code for EVERY person I send to the site? That not only scales terribly, but is a horrible user experience as well.
2) Let's say I figure out what you're doing. I develop a bot that clicks that button 4 trillion times. What now?
You could use the 'HTTP_REFERER' value to check what page the request came from, and only allow votes for that user from their page. This can be spoofed, but most people won't know how.
You can count the referral points for some additional action on your site, for example registration or payment or anything that is behind captcha check.
But do not build any obstacles for your regular legit users!
you could embed this information in the POSTDATA - it's a tad more secure.
Or you can add a restriction that any user may be upvoted ONLY by any other EXISTING user only once. And to make it more "secure", generate userIds with a random seed.