Jump to content

is there a way for me to stop 100 people from using the same password & user?

silverglade

By silverglade
in Application Design

 Share

Recommended Posts

silverglade Advanced Member

silverglade

Posted
Posted

hi, im trying to secure a part of my website. so far i have no way of preventing one user from giving another 100 people their password and username, and them all using that same password and username without paying me. is there a way for me to stop 100 people from using the same password & user? any advice greatly appreciated. thanks. derek

Daniel0 Advanced Member

Daniel0

Posted
Posted

If logins using the same credentials come from a large number of different IP addresses, it could be a strong indicator that multiple people are logging in. You'll have to consider that 1.2.3.4 and 1.2.3.3 could very well be the same person, but 1.2.3.4 and 2.2.3.4 could certainly not (a relative difference of respectively 1 and 16777216). Another thing you could do is to restrict one login per IP address at a time. You could also check against the user agent string. Many different UA strings from many different IP addresses would also be an indicator.

 

You cold automatically flag suspicious accounts and manually investigate them.

Mark Baker Member

Mark Baker

Posted
Posted

Force password changes at regular intervals, that way it would become more of a headache for anybody giving away the details of their access because they'd have to keep updating the 100 other users with their password changes.

nadeemshafi9 Advanced Member

nadeemshafi9

Posted
Posted

i made this script once, that when you login

 

you hash a random number

 

you store the random number in the users record and you create a cookie on the users system to store it there too.

 

you then chgeck these two on every page that they match

 

when somone else logs in it will be changed and it wont let two people in at the same time

 

presto

 

 

when another user logs in the number will be generated again and stored in the users record, will no longer match with the other users system cookie

MadTechie Regular Member

MadTechie

Posted
Posted

This should be an easier option for you

 

If you add a random hash to the users record (in the database) when they login and keep a copy in a session, then check that session hash with the DB hash, and if they don't match then log them out..

 

Now if a second person logs in, the system kicks the first one out.

silverglade Advanced Member

silverglade

Posted
  • Author
Posted

i think thats great! im new though and dont know how to code that. do you know where i could find an example on the net or search terms? i know how to add fields in the database, but i wouldnt know how to create a hash, or to add it to a session. any more help greatly appreciated. thank you.

 

here is the login script i have so far.

 

<?php
include("connect1.php");

session_start();  
$u = $_POST['username'];
$p = $_POST['password'];  
$logoff = $_GET['logoff']; 
$hack = $_GET['hack'];  


  



if($logoff){

    
unset($_SESSION['userid']);



$message = "You have been logged off";  

    
     

		}

  
if($hack){    

$message = "Naughty Naughty!  "; // COOL

    }


// escape username and password for use in SQL//person said on board "looks fine" like this
//to prevent sql injections
$u = mysql_real_escape_string($u);
$p = mysql_real_escape_string($p);


// if fields username and password have contents, then...
if(isset($u) && isset($p) && !empty($u) && !empty($p)){ ///changed from if ($u && $p)

$query = mysql_query("SELECT * FROM table2 WHERE username = '$u' AND password = '$p'");

$result = mysql_fetch_array($query);  
                                       
                                         
if($result['username']){ // if username is set, go on...username is a key for $result, and a field in the table.

	$message = "You have been logged in";


	$_SESSION['userid'] = $result['username'];

	header("Location:old.mainsite.php"); // this will redirect them to the application.php page. and exit the script here.
	exit;


}else{

	$message = "You do not exist on the system";

}



}
?>

 

its pretty basic. LOL.

nadeemshafi9 Advanced Member

nadeemshafi9

Posted
Posted

This should be an easier option for you

 

If you add a random hash to the users record (in the database) when they login and keep a copy in a session, then check that session hash with the DB hash, and if they don't match then log them out..

 

Now if a second person logs in, the system kicks the first one out.

 

i hear an echo

MadTechie Regular Member

MadTechie

Posted
Posted

This is all untested and written direct so probably wrong

 

Add a field (ie loginHASH varchar(32) ) via a DB manager ie: phpMyAdmin

 

then find the code that checks for logins, and add a update query to add a the hash

ie

//SET session loginHASH to a random hash (some random hex)
$_SESSION['loginHASH']= md5(uniqid(mt_rand(), true));
//Update users records in the users table with the above hash
mysql_query(sprintf("UPDATE users SET loginHASH ='%s' WHERE ID = %d LIMIT 0,1", $_SESSION['loginHASH'],$UserID));

 

then to check.. do something like

//Check the current users session ID and HASH with the ones in the database
$result = mysql_query(sprintf("SELECT loginHASH FROM WHERE loginHASH ='%s' AND ID = %d LIMIT 0,1", $_SESSION['loginHASH'],$UserID));
//if not found then kick out
if(mysql_num_rows($result) < 1) logout();


//logout function //wipe session of current user
function logout()
{
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-86400, '/');
}
session_destroy();
header("location: home.php"); //redirect home
}

 

 

EDIT: note that $UserID is the users ID thus probably $_SESSION['userid']

EDIT #2: added limit's (okay its not that great but you get the idea)

silverglade Advanced Member

silverglade

Posted
  • Author
Posted

thank you very much for taking the time to do that . i wish i understood it, but i dont. im paying for php lessons once a week but the guy is  starting to seem like hes going to quit on me. so until i get more lessons, i wont understand the above. crap. oh well. thank you very much for trying and typing all that code. i appreciate it. sorry. derek but im bookmarking this page for when i DO understand it. so thanks.

Daniel0 Advanced Member

Daniel0

Posted
Posted

would be better to make a login class called Auth(), have methods to do these things, lookup the username and then password for authentication

 

Do you understand the concept of an example? Obviously people are not going to write a full-fledged application each time they want to provide a snippet.

MadTechie Regular Member

MadTechie

Posted
Posted

would be better to make a login class called Auth(), have methods to do these things

I am trying to keep it simple..

okay i have added some comments to the above, heres a example

User A: logs in as BOB

System: creates a new HASH and updates the users Database details with the new HASH (ie 123)

User A: goes to a page

System: checks the session HASH with that in the database.. they match its fine

 

User B: logs in as BOB

System: creates a new HASH and updates the users Database details with the new HASH (ie 456)

User B: goes to a page

System: checks the session HASH with that in the database.. they match its fine

User A: goes to a page

System: checks the session HASH with that in the database.. they no longer match as Users A HASH is 123 but the database now has 456.. this system kicks him out

 

USER A & B refer people/sessions,

nadeemshafi9 Advanced Member

nadeemshafi9

Posted
Posted

would be better to make a login class called Auth(), have methods to do these things, lookup the username and then password for authentication

 

Do you understand the concept of an example? Obviously people are not going to write a full-fledged application each time they want to provide a snippet.

 

im just helping the brother out

MadTechie Regular Member

MadTechie

Posted
Posted

What part are you stuck on ?

is it the logic OR the actual code..

 

I'll try to break it down more if you like, i hope the comments make sense

 

Oh here's the SQL in a more basic form that you are probably more used to

 

mysql_query("UPDATE users SET loginHASH ='".$_SESSION['loginHASH']."' WHERE ID = $UserID LIMIT 0,1");

 

$result = mysql_query("SELECT loginHASH FROM WHERE loginHASH ='".$_SESSION['loginHASH']."' AND ID = $UserID LIMIT 0,1");

nadeemshafi9 Advanced Member

nadeemshafi9

Posted
Posted

would be better to make a login class called Auth(), have methods to do these things

I am trying to keep it simple..

 

go tiger grrrrr

 

i rember when i used to write it out nut i just dont have the time anymore, gud man !

MadTechie Regular Member

MadTechie

Posted
Posted

please dont spend any more time on me, i dont understand the code, and by the time i do understand it, everyone is going to be very pissed. thanks for trying. derek

 

This is a place to learn.. the fact you are willing to learn means I am willing to help :)

 

however if you need some time then that's fine too :)

 

 

 

I have taken the liberty of updating your script, if you added a field called loginHASH type=varcahr(32) to the table2 table

this may just work 

<?php
include("connect1.php");
session_start();
$u = $_POST['username'];
$p = $_POST['password'];
$logoff = $_GET['logoff'];
$hack = $_GET['hack'];
if($logoff){
unset($_SESSION['userid']);
$message = "You have been logged off";
}

if($hack){
$message = "Naughty Naughty!  "; // COOL
}

// escape username and password for use in SQL//person said on board "looks fine" like this
//to prevent sql injections
$u = mysql_real_escape_string($u);
$p = mysql_real_escape_string($p);

// if fields username and password have contents, then...
#isset isn't needed as !empty covers it 
if(!empty($u) && !empty($p)){ ///changed from if ($u && $p)
$query = mysql_query("SELECT * FROM table2 WHERE username = '$u' AND password = '$p'");
$result = mysql_fetch_array($query);
if($result['username']){ // if username is set, go on...username is a key for $result, and a field in the table.
	$message = "You have been logged in";
	$_SESSION['userid'] = $result['username'];

	/**
	 * Security HASH
	 */
	//SET session loginHASH to a random hash (some random hex)
	$_SESSION['loginHASH']= md5(uniqid(mt_rand(), true));
	//Update users records in the users table with the above hash
	mysql_query("UPDATE table2 SET loginHASH ='".$_SESSION['loginHASH']."' WHERE username = '$u' AND password = '$p' LIMIT 0,1");


	header("Location:old.mainsite.php"); // this will redirect them to the application.php page. and exit the script here.
	exit;
}else{
	$message = "You do not exist on the system";
}
}
?>

 

 

New file auth.php

<?php
session_start();
include("connect1.php");
//Check the current users session ID and HASH with the ones in the database
$result = mysql_query("SELECT loginHASH FROM table2 WHERE loginHASH ='".$_SESSION['loginHASH']."' AND username = '".$_SESSION['userid']."' LIMIT 0,1");
//if not found then kick out
if(mysql_num_rows($result) < 1){
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
	setcookie(session_name(), '', time()-86400, '/');
}
session_destroy();
header("location: home.php"); //redirect home
}
?>

 

 

add to the start of member only pages

required("auth.php");

jcombs_31 Advanced Member

jcombs_31

Posted
Posted

I don't know what the user is paying for when they gain access to your site, but these examples only help with concurrent logins.  If a user is paying for something  that they can download, these downloads should expire after a certain period of time.  What type of website is this?

silverglade Advanced Member

silverglade

Posted
  • Author
Posted

they are paying for a very rare and hard to find art technique. i have tons of pages detailing how to do it. with pictures , a video, etc. and im the only one on the net who has this info, im ranked pretty high up on google. the only funny thing is nobody gives a crap about this technique, its too rare i guess. but ive got one person that bought the pages. they pay by a paypal button, i email them a user and pass request, they give it to me, i update the database, then they login to my "secret pages" . it works. but my php skill level sucks. i might pay someone on these forums to give me lessons , with that desktop share program and skype. my current teacher is getting tired of doing it. but as you can see, my php skill level is at the "suck" level. hehe. thank you everyone for trying so hard to help me, im just not there yet. sorry about that. derek

silverglade Advanced Member

silverglade

Posted
  • Author
Posted

i decided to try to use MadTechie's code, thank you MadTechnie. it wasnt that hard , but it doesnt work. when i try to login at the index.php page to the old.mainsite.php page, it doesnt let me in, it just reloads the current page. here is the code he gave me. the scripts are supposed to prevent people from sharing passwords, which would make me lost a lot of money on my site. any help GREATLY appreciated. thanks. derek (i added "loginHASH" to my table and made it varchar, 32, NULL.

 

 

for the entry login page, index.php

<?php
include("connect1.php");
session_start();
$u = $_POST['username'];
$p = $_POST['password'];
$logoff = $_GET['logoff'];
$hack = $_GET['hack'];
if($logoff){
   unset($_SESSION['userid']);
   $message = "You have been logged off";
}

if($hack){
   $message = "Naughty Naughty!  "; // COOL
}

// escape username and password for use in SQL//person said on board "looks fine" like this
//to prevent sql injections
$u = mysql_real_escape_string($u);
$p = mysql_real_escape_string($p);

// if fields username and password have contents, then...
#isset isn't needed as !empty covers it 
if(!empty($u) && !empty($p)){ ///changed from if ($u && $p)
   $query = mysql_query("SELECT * FROM table2 WHERE username = '$u' AND password = '$p'");
   $result = mysql_fetch_array($query);
   if($result['username']){ // if username is set, go on...username is a key for $result, and a field in the table.
      $message = "You have been logged in";
      $_SESSION['userid'] = $result['username'];
      
      /**
       * Security HASH
       */
      //SET session loginHASH to a random hash (some random hex)
      $_SESSION['loginHASH']= md5(uniqid(mt_rand(), true));
      //Update users records in the users table with the above hash
      mysql_query("UPDATE table2 SET loginHASH ='".$_SESSION['loginHASH']."' WHERE username = '$u' AND password = '$p' LIMIT 0,1");
      
      
      header("Location:old.mainsite.php"); // this will redirect them to the application.php page. and exit the script here.
      exit;
   }else{
      $message = "You do not exist on the system";
   }
}



//IP BANNING CODE START HERE
$s=$_SERVER["REMOTE_ADDR"];
//draws IP address of visitor
$ipbancheck="SELECT * from banip where IP='$s'";
$ipbancheck2=mysql_query($ipbancheck);
while($ipbancheck3=mysql_fetch_array($ipbancheck2))
{
$IPBANNED=$ipbancheck3[iP];
}
//above lines check to see if user Ip is in banned IPs
if ($IPBANNED)
{
header('Location: http://derekvanderven.com/hacker.html');
//print "You have been banned ";

}
else
{

}
?>

 

for the secret entry page after you login, old.mainsite.php

 

<?php
require("auth.php");
include("connect1.php");
include("bouncer.php"); // kicks the person off if session is not set, its the bouncer, big and fat man. ooooh.






?>

 

and finally the "auth.php" page.

 

<?php
session_start();
include("connect1.php");
//Check the current users session ID and HASH with the ones in the database
$result = mysql_query("SELECT loginHASH FROM table2 WHERE loginHASH ='".$_SESSION['loginHASH']."' AND username = '".$_SESSION['userid']."' LIMIT 0,1");
//if not found then kick out
if(mysql_num_rows($result) < 1){
   session_start();
   $_SESSION = array();
   if (isset($_COOKIE[session_name()])) {
      setcookie(session_name(), '', time()-86400, '/');
   }
   session_destroy();
   header("location: index.php"); //redirect home
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.