Security question

[freeloader]

No sure if this is the right section, but here we go.

 

I'm developing a game site and I expect quite a bit of cheaters to find their way to the site. I thought up some methods of detecting cheaters, but I'm not sure what would be the best way to implement them.

 

IP lookup

Of course, I will start with the basic IP lookup, but instead of storing only the latest IP one uses, I want to store every ip they ever used on the site and then cross-reference it and see if it was used on another account. What would be the best way to store it? A different user table with 3 columns: username, ip, logdate. Or 2 extra columns to the members table: ip, logdate? Ip being a longtext place in the members table where I keep adding IP's. I'm afraid the first method will take up too much place and slow down the rest of the mysql DB after a year or so, though it probably is the easiest way to search the table for doubles.

 

Flash cookies

What most people forget when trying to cheat is flash cookies (Local Shared Objects). They're pretty hard to remove and to find if you don't know how. Also, bots will not pick them up so if you see a user with no flash cookie inserted, you can flag them as a potential cheater and later find out by login times whether or not it was a bot or a real user with flash disabled. I was thinking of storing a unique id in a flash variable and storing it in the database. Whenever a user signs on with a different account, the unique id gets added to it and I can do an easy user lookup afterwards. My question is: is it possible to read (and possibly write?) flash cookies with php and how do I go about that?

 

Flagging users: on the spot or afterwards?

I'm not sure what to do here either. Do I check to see if an account is a cheater when they log in (ip lookup, flash cookie comparison, update db field and flag as a cheater on the spot) or do I run scripts for that afterwards?

 

Thanks for answering my questions in advance and if you know of any other way to find out double accounts, let me know

[revraz]

For the IP issue, you def want a new table, just store the UserID, IP and Date then you can join the table with your users using the UserID when you need to query it.  But in my opinion, it won't have any value.  What if two players are in the same dorm or work location that report the same external IP?

[freeloader]

It's mostly to assure advertisers not too many ads are being loaded through bots and multiple users. We don't want to lose money because of that

 

As for a few IPs on the same pc, we can live with that and if we have some spare time we'll just compare logdates (or let a script do it), 2 people in the same dorm won't always login right after each other right? Multi accounters probably will login with more similar login times.

[revraz]

That's always a tough choice to make on the Dev side, because whatever you do, you limit what can be done by ligit players in the same house.  What if I want to play with my Son at the same time?  Or someone with their roommate..etc.

[freeloader]

Not if we limit the amount of accounts one ip can have to around 4.

 

When they have more than that, it starts to become implausible and you ask for some kind of proof.

[nloding]

When Battlefield 2142 came out, EA Games prevented multiple connections from the same IP.  This hurt in the long run, as gaming centers and LAN parties couldn't play.  Be wary of doing that.

 

Flag numerous logins from the same IP, and if it gets to a certain amount, send an email asking for proof of membership for all the ID's.  What that proof is, I don't know.  Then you'd need another table of flagged IP's and whether they are legit or not.

 

No matter what you do, you will block legitimate users from the site, but these days security almost calls for that.  Just work extremely diligently to make the numbers who get blocked (or blocked temporarily) as few as you can.

[freeloader]

Should I make a new entry in the DB for every page? Because if I do a DB insert on the login page, there are 2 problems:

 

1) they may still be logged in from previous session and pass the login page

2) they might login with one ip, change/proxy it and go to the next page

 

Are there other solutions?

[freeloader]

I have some additional questions concerning session security.

 

At the moment this is my login processor:

<?php
session_start();
include "config.php";

// check login and pass in db

//set cookie for 90 days
setcookie("usNick",$nicke,time()+7776000);
setcookie("usPass",$passe,time()+7776000);

 

Where config.php is included on every page and says:

if($_COOKIE["usNick"] and $_COOKIE["usPass"])
{
$q = mysql_query("SELECT * FROM tb_users WHERE username='".mysql_real_escape_string($_COOKIE['usNick'])."' AND password='".mysql_real_escape_string($_COOKIE['usPass'])."'") or die(mysql_error());
if(mysql_num_rows($q) == 0)
{
	$_COOKIE['usNick'] = false;
	$_COOKIE['usPass'] = false;
} else {
	$loggedin = 1;
	$r = mysql_fetch_array($q);
}
}

 

Access to the admin panel is set this way:

if(!isset($_COOKIE["usNick"]) && !isset($_COOKIE["usPass"]))
{
	exit();
}

if($r["account"]!="admin")
{
	header("location:index.php");
	exit();
}

// admin panel

 

I would like to transform this to a secure sessions system, but what is the most secure way to go about that in php?

[gizmola]

It's mostly to assure advertisers not too many ads are being loaded through bots and multiple users. We don't want to lose money because of that

 

As for a few IPs on the same pc, we can live with that and if we have some spare time we'll just compare logdates (or let a script do it), 2 people in the same dorm won't always login right after each other right? Multi accounters probably will login with more similar login times.

 

I think you misunderstand the issue.  The issue is NAT where you could have hundreds or even thousands of users with the same IP (remember AOL?).  Ok, it's an overstated concern, but it's not a matter of reuse of IP's, but rather that NAT allows the same IP to be used simultaneously by multiple users *at the same time*.

[freeloader]

I know some ISPs do that and I understand some users would be suspended without fair cause. However, the probability of that is low and if this would be the case, we can still check up on the IP and see which ISP distributed it.

 

Can someone focus on the security concerns I posted in regards to sessions?

[nloding]

I would like to transform this to a secure sessions system, but what is the most secure way to go about that in php?

 

I point everyone to this article, as I think it's a great place to start:

 

http://www.evolt.org/PHP-Login-System-with-Admin-Features