Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: block two users sharing the same login id?  (Read 1765 times)

0 Members and 1 Guest are viewing this topic.

alanlai

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 53
    • Goddess
block two users sharing the same login id?
« on: April 15, 2009, 10:47:10 pm »

How to determine and block, if 2 users using different IPs, and login with the same user name simultaneously?

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: block two users sharing the same login id?
« Reply #1 on: April 15, 2009, 11:26:16 pm »

The only way it's to block the IP with a .htaccess file. (But not a bright idea since the IP change -in most conection services- everytime the user get the conection).

If you want some of the users be allowed to login and the other not, just tell him/her to change his/her password and the other user would not be able to login.
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: block two users sharing the same login id?
« Reply #2 on: April 16, 2009, 08:28:11 am »

Why would you want to disallow a user to be logged on on two machines simultaneously? What's so bad about that? What's the abuse potential?

The reference to the .htaccess file being the only way to stop this is not correct imo: you could easily enable detailed logging and then add a code section that compares the IP addresses for any given user, but this has two disadvantages:
  • You'd be burning a lot of resources, probably with a notable performance impact
  • The code needed to do what you're up to hasn't been coded, so you'd have to come up with that custom code, which is not a trivial task

I can't see how you could possibly accomplish what you're up to using .htaccess methods, as neither the file system on OS level nor the apache webserver are "aware" of the logged-in user: that logic is only known to the script.
As suggested, you need to figure out if this is really needed: maybe you could tell us first why you think that you need to block visitors by IP because they appear to be using the same user name. My guess is that this is where the initial problem lies: you might be making false assumptions. So describe in detail what happened and what you try to prevent from happening.
Logged
Pages: [1]   Go Up
 

Page created in 0.015 seconds with 19 queries.