good question!

[z1haze]

is it possible to create a sort of php secure login on a website that locks the users account a a hardware ID.. so that it is not possible to share a paid account among several users.  Im building a site for a friend who is a teacher.. and is selling teaching packs online.. some webbased and some downloadable.. i need a way to keep people from sharing login names... so they wont all be able to just use one login and rip him off. thanks everyone.

[RussellReal]

best way to do this is log IP addresses, most ip addresses refresh once like a month or so (mine has been static for the past 5 months, but it is actually an IP which is supposed to refresh lol) so.. log ip changes.. if there is more than 3 ip changes that week or whatever.. oir just any amount like that, 3 ip changes that day.. or whatever.. than lock the account, and also remember to mention this feature in your ToS..

 

with this you will atleast know who is sharing and who isn't.. code it to auto-lock the account with 3 ip changes within X amount of seconds, and then give them the option to unlock their account and send them a warning if there is more activity like this you will delete their account permenantly..

 

this is your only option you can't get hardware information, and also what if sum1 likes your website at work? so like.. just bear these things in mind..

[bubbasheeko]

If they are purchasing the items to download there is an easier way than what you are suggesting.

 

Only allow them to download the package once or twice without approval from the person looking after the website.  The download will trigger a 'marker' in the database to say it was downloaded (and how many times).  If they attempt to download a purchased item again outside of you 1 or 2 download limit, it will trigger an approval email to the website admin or who ever is looking after it.  If they approve ( you will need to create a page that will remove the marker for that 'client' and include the link in the email), click on the marker removal link in the email.  Clear the marker or set it back to 1 (if you choose to allow at least 2 downloads without approval).  That would be a basic deterrent.

 

I wouldn't suggest to use IP addresses.  Dynamic addresses (usually dial up) change to frequently to make an IP solution feasible.  Static IP addresses do not change that frequently, but when they do they may not even start with the same first three numbers.  The above may be the best solution.

[corbin]

If they are purchasing the items to download there is an easier way than what you are suggesting.

 

Only allow them to download the package once or twice without approval from the person looking after the website.  The download will trigger a 'marker' in the database to say it was downloaded (and how many times).  If they attempt to download a purchased item again outside of you 1 or 2 download limit, it will trigger an approval email to the website admin or who ever is looking after it.  If they approve ( you will need to create a page that will remove the marker for that 'client' and include the link in the email), click on the marker removal link in the email.  Clear the marker or set it back to 1 (if you choose to allow at least 2 downloads without approval).  That would be a basic deterrent.

 

I wouldn't suggest to use IP addresses.  Dynamic addresses (usually dial up) change to frequently to make an IP solution feasible.  Static IP addresses do not change that frequently, but when they do they may not even start with the same first three numbers.  The above may be the best solution.

 

 

And you would keep the downloaded file on the original downloader's computer how?

[bubbasheeko]

that depends on one thing - What is the package that is being downloaded?  PHP app?  Flash app?  Word documents?

[GingerRobot]

best way to do this is log IP addresses, most ip addresses refresh once like a month or so (mine has been static for the past 5 months, but it is actually an IP which is supposed to refresh lol) so.. log ip changes.. if there is more than 3 ip changes that week or whatever.. oir just any amount like that, 3 ip changes that day.. or whatever.. than lock the account, and also remember to mention this feature in your ToS..

 

with this you will atleast know who is sharing and who isn't.. code it to auto-lock the account with 3 ip changes within X amount of seconds, and then give them the option to unlock their account and send them a warning if there is more activity like this you will delete their account permenantly..

 

this is your only option you can't get hardware information, and also what if sum1 likes your website at work? so like.. just bear these things in mind..

 

Are you aware of a.) how difficult it is to ascertain a user's true IP address and b.) that some people have IPs that will change with every single request whilst other people will have the same IP as an awful lot of others who use the same ISP?

[bubbasheeko]

..hence why I said it wasn't a good idea

[GingerRobot]

My apologies. I actually intended to quote the person above you(RussellReal). Obviously clicked the wrong button. I also didn't notice that you'd already mentioned most of what i'd said. One of those days, i guess.

[corbin]

Unless it's a compiled program, you're going to have issues.

 

 

If it's a web app, you'll have even more issues.

 

 

Keeping people from sharing accounts would be quite difficult.

 

 

 

Edit:  You would of course have problems with keeping a compiled program with one user too, it would probably just be easier.

[auro]

This is impossible according to me. I'm running a chat community where i can trace fake and multiple ids of a user.

 

My special system is 3 layered. I have worked very hard for that. Still there can be 5% users who can escape.

 

So no remedy.

[.josh]

stuff has to be purchased, right? Require a bunch of personal info on register.  A cc number (for purchasing), social security number, bday, address, etc... upon login, prompt user to verify him/herself with the more sensitive data, like their social security number or cc number.  Not many people are willing to share that kind of info, even with their friends.

[corbin]

stuff has to be purchased, right? Require a bunch of personal info on register.  A cc number (for purchasing), social security number, bday, address, etc... upon login, prompt user to verify him/herself with the more sensitive data, like their social security number or cc number.  Not many people are willing to share that kind of info, even with their friends.

 

 

Ooo that's a good idea....  Genius in fact.  I wonder if it would make people more hesitant to buy the product though....

 

 

I guess the buyers would have to provide a credit card number anyway lol.

[.josh]

lose 1 customer or lose 100 products. Take your pick.

[Rushyo]

Very few people nowadays are entirely happy giving their details away to a site they do not trust. When they visit a site, they either a) already trust it or b) expect to be redirected to a merchant provider they trust. So legitimate users will generally not just give away details such as credit card numbers and social security details.

 

""I guess the buyers would have to provide a credit card number anyway lol. "

 

If you are taking credit card numbers in the first place you need to damn sure you have the security to deal with it.. and you need to reassure your customers their data is safe at all stages. If you don't, say goodbye to the majority of your purchases.

 

There's a reason PayPal, Google Checkout, WorldPay, etc are so popular. The site you're buying from never gets any personal information. Nada. Zip. Squat. That works for both the web site (who don't want to touch it) and the consumer.

[z1haze]

well i've heard a lot.. but more information to you.. all of the customers who will be visiting the site, will either a. know the owner personally, or b. know a person personally who uses the website.. so the trust will be a little easier to gain.  Another thing.. I think i may go with the ip addresses thing.. because a lot of it is webbased so it wouldnt help to count downloads, bc the only things actually being downloaded would be teaching videos.. all the other things, like worksheets and such will just be printed from the browser... but the videos go along with the worksheets..

 

 

also can someone tell me how i would achieve gettings the users ip logged each time the User Account logs into the system? please and thanks

[.josh]

$_SERVER['REMOTE_ADDR'];

[bubbasheeko]

That's the thing, you can't always get their real IP address.  That is why we let you know it isn't the best option.

 

I will give you the info anyway

 

$ip =@$REMOTE_ADDR; 

 

If php.ini on your server has register_global set to the off position then you will have to do it a different way.

 

$ip = $_SERVER['REMOTE_ADDR'];

 

Good luck!

 

 

[Rushyo]

"also can someone tell me how i would achieve gettings the users ip logged each time the User Account logs into the system? please and thanks"

 

<?php
$strIP = $_SERVER["REMOTE_ADDR"];
?>

 

Then just put $strIP in your database. Note that this value is pretty easily faked.

[RussellReal]

$_SERVER['REMOTE_ADDR']

[bubbasheeko]

+ Enter the results of one of the php queries I provided into a database.