Need secure login

Hi,

I have a client. He does not want member login by just giving password and
login id. He says anybody can give this info to his friend and his friend
can access the site.

One way is to make use of cookie on his computer. So only from one computer
he can access the site. But the thing is that user needs to accept it, and i
believe I need to provide some method too in case they delete the cookie.

Is there any other solution for this ? Is there any third party software
for this ?

Regards
Manisha

This first rule is never trust the client-side.
The second rule is never trust the client-side.

This means that relying on...
a) the user accepting the cookie
b) the user always using the same computer
c) the user not deleting the cookie
.... is a BAD idea.

Frankly, if you force me to use a single computer to access your site,
I'll just leave and never return. I have 3 desktops and a laptop, all
of which I use at different times. Telling me I can only use one of
them to access your site is like telling me I have to be wearing green
socks whilst visiting your site. It should be about MY preference, not
yours.

Likewise, you can't tie a member to a mac address, or to an IP address.

I don't really have a solution to your problem, and anything you DO
implement will be a pain in the arse to users (otherwise Amazon et al
would have already implemented it), but here's some thought starters\
-- all of which are deterrents NOT solutions.

1. Make sure that a user can't login from two different places at
once, if the user does, generate an email report of the problem, so
that you can keep an eye on users who might be abusing the system.

2. Randomly ask the user an additional question on login (DOB, pet's
name, shoe size, postcode, etc) and compare it to Q's asked earlier.

3. Tell them repeatedly that sharing a userid/pass is against your
acceptable terms, and that any members caught doing so will have their
account closed without refund -- usually the idea of getting caught is
a good enough deterrent.

4. Perhaps implement a rolling password system -- if this thing needs
to be bullet proof. Each time they login, or once a month, or at
random intervals, you could reset their password. Again, this ins't a
solution, but it's a deterrent, because the user would have to keep
their friends "updated".


Most of the above is guaranteed to frustrate users though. Is your
site worth enough to your users to frustrate them? Is the content your
protecting really that important? I doubt it :)


Justin





On Friday, October 10, 2003, at 11:44 AM, Manisha Sathe wrote:

> Hi,
>
> I have a client. He does not want member login by just giving password
> and
> login id. He says anybody can give this info to his friend and his
> friend
> can access the site.
>
> One way is to make use of cookie on his computer. So only from one
> computer
> he can access the site. But the thing is that user needs to accept it,
> and i
> believe I need to provide some method too in case they delete the
> cookie.
>
> Is there any other solution for this ? Is there any third party
> software
> for this ?
>
> Regards
> Manisha
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> ---
> [This E-mail scanned for viruses]
>
>

Thanks Justin, actually I was also thinking of the same, but just wanted to
confirm that it is really not a good idea.

Was also wondering if there is any third party solution ?.

Regards
Manisha


"Justin French" <justin@indent.com.au> wrote in message
news:BBA254B2-FAC5-11D7-AB96-000A9579CE3A@indent.com.au...
> This first rule is never trust the client-side.
> The second rule is never trust the client-side.
>
> This means that relying on...
> a) the user accepting the cookie
> b) the user always using the same computer
> c) the user not deleting the cookie
> ... is a BAD idea.
>
> Frankly, if you force me to use a single computer to access your site,
> I'll just leave and never return. I have 3 desktops and a laptop, all
> of which I use at different times. Telling me I can only use one of
> them to access your site is like telling me I have to be wearing green
> socks whilst visiting your site. It should be about MY preference, not
> yours.
>
> Likewise, you can't tie a member to a mac address, or to an IP address.
>
> I don't really have a solution to your problem, and anything you DO
> implement will be a pain in the arse to users (otherwise Amazon et al
> would have already implemented it), but here's some thought starters\
> -- all of which are deterrents NOT solutions.
>
> 1. Make sure that a user can't login from two different places at
> once, if the user does, generate an email report of the problem, so
> that you can keep an eye on users who might be abusing the system.
>
> 2. Randomly ask the user an additional question on login (DOB, pet's
> name, shoe size, postcode, etc) and compare it to Q's asked earlier.
>
> 3. Tell them repeatedly that sharing a userid/pass is against your
> acceptable terms, and that any members caught doing so will have their
> account closed without refund -- usually the idea of getting caught is
> a good enough deterrent.
>
> 4. Perhaps implement a rolling password system -- if this thing needs
> to be bullet proof. Each time they login, or once a month, or at
> random intervals, you could reset their password. Again, this ins't a
> solution, but it's a deterrent, because the user would have to keep
> their friends "updated".
>
>
> Most of the above is guaranteed to frustrate users though. Is your
> site worth enough to your users to frustrate them? Is the content your
> protecting really that important? I doubt it :)
>
>
> Justin
>
>
>
>
>
> On Friday, October 10, 2003, at 11:44 AM, Manisha Sathe wrote:
>
> > Hi,
> >
> > I have a client. He does not want member login by just giving password
> > and
> > login id. He says anybody can give this info to his friend and his
> > friend
> > can access the site.
> >
> > One way is to make use of cookie on his computer. So only from one
> > computer
> > he can access the site. But the thing is that user needs to accept it,
> > and i
> > believe I need to provide some method too in case they delete the
> > cookie.
> >
> > Is there any other solution for this ? Is there any third party
> > software
> > for this ?
> >
> > Regards
> > Manisha
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> > ---
> > [This E-mail scanned for viruses]
> >
> >

>Thanks Justin, actually I was also thinking of the same, but just wanted
>to confirm that it is really not a good idea.
>
>Was also wondering if there is any third party solution ?.

A third-party solution to a bad idea?

---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html

On Friday, October 10, 2003, at 12:38 PM, Manisha Sathe wrote:

> Thanks Justin, actually I was also thinking of the same, but just
> wanted to
> confirm that it is really not a good idea.
>
> Was also wondering if there is any third party solution ?.

A third party solution to what??? I've described the problem, offered
some questionable solutions, and advised against it all. I don't see
how a third party solution (I'm guessing you mean a service provided by
another site, or a plug-in) would fix this. The limitations are both
technical (http & browser limitations) and emotional (what limitations
a user will find acceptable).

To drill it in again, look at all the leading sites in whatever market
you're talking about (if you're talking e-commerce, look at amazon et
al, if you're talking 'adult', look at the market leaders, etc etc) and
see how they do it.

Why? Because they've got the resources, time and expert staff to look
at these problems in great detail, test them to death, do a lot of
market and user testing, etc etc. If <big site name here> can't solve
the problem with their millions of $'s to an acceptable level (both in
terms of technology, user experience and standards), then it probably
can't be done.


Justin