Jump to content

Ideas for coding php app security?


Rifts

Recommended Posts

Hey guys,

 

I'm working on a paid php tool where users would pay monthly and be able to log in and use the tool.

 

What is the best way to prevent people from sharing accounts?

 

I was thinking about something like keeping track of ips but what if people use the tool at home and work.

 

What do you guys think?

 

Link to comment
Share on other sites

Well, as you just said you can't use the IP address since that would change. So, you can never really know if the person using an account is the same person or not. If you try to verify if the person logging into an account is the same person or not you are going to cause a lot of difficulty for your users and you. The least painful implementation would be to ensure you don't have the same login being used concurrently. But, since you never know if a user will log out vs. just closing the browser window you would have to implement a time-limit.

 

For example, when someone completes the login you would store their IP in a table. Then on each page load you would save a "last_activity" timestamp. Then when a user attempts to log in you would see if there was a last_activity for the user at a different IP address within the lat 15 minutes (?) or whatever time period you want. You could then prevent the new user from logging in until the first session has expired or you could allow the new user to log in and terminate the previous users session. Basically there are any number of avenues you can take here.

Link to comment
Share on other sites

On lynda.com you can only be signed in on any device at one time. So if you sign in on your desktop and then sign in on your laptop, it will invalidate the desktop.

 

It would be pretty easy to implement, just invalidate the session of the same ID when it logs in again. You could even use an AJAX script to log them out automatically.

Link to comment
Share on other sites

  • 2 weeks later...

You might try a different business model that solves your most worrisome problems without creating too many new ones.

 

For example: charge for resources used instead of a flat fee per user per month. This would solve the problem of account sharing, not by preventing it, but by making it pointless.

 

If that doesn't work for you, maybe some other innovation will. The important thing is to see whether thinking outside the box will help.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.