You are not logged in.

#1 2006-04-15 17:57:39

Komodo
Member
From: Oxford, UK
Registered: 2005-11-03
Posts: 674

Preventing account sharing, but NOT by checking IP

Is there any decent way to prevent people from sharing accounts without doing it by IP?  I don't really want to restrict people from dl'ing from a site I'm working on just because they're logged in on a different pc, but I can't see any other way of doing it.


.oO Komodo Dave Oo.

Offline

#2 2006-04-15 19:23:04

paranoos
Member
From: thornhill.on.ca
Registered: 2004-07-22
Posts: 442

Re: Preventing account sharing, but NOT by checking IP

that's a toughie. how about if a user is active at two IPs at the same time, then you know it's being shared. perhaps you can then ban the account.

Offline

#3 2006-04-15 19:24:50

Komodo
Member
From: Oxford, UK
Registered: 2005-11-03
Posts: 674

Re: Preventing account sharing, but NOT by checking IP

Yeah, that's true paranoos, but it's a bit too lax for what I'm after, sadly sad


.oO Komodo Dave Oo.

Offline

#4 2006-04-15 21:06:57

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Preventing account sharing, but NOT by checking IP

If it is login based, you can issue the user an ephemeral token when they login, and tie *that* to a specific IP address. It expires after a time period or logout..whichever is first.
When the user logs in next, a new token is generated and issued.

Nothing would ever prevent someone from giving their friend their account (hell, if you give your friend your bank card and a pin number..they can use your bank account too. lol). They just wouldn't both be able to use it at the same time.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2006-04-15 23:12:22

Komodo
Member
From: Oxford, UK
Registered: 2005-11-03
Posts: 674

Re: Preventing account sharing, but NOT by checking IP

cactus wrote:

If it is login based, you can issue the user an ephemeral token when they login, and tie *that* to a specific IP address. It expires after a time period or logout..whichever is first.
When the user logs in next, a new token is generated and issued.

Nothing would ever prevent someone from giving their friend their account (hell, if you give your friend your bank card and a pin number..they can use your bank account too. lol). They just wouldn't both be able to use it at the same time.

I've got the 'ephemeral token' (:P) that you speak of, all nicely rigged up in my code smile  I guess I'll just have to cope with either limiting people to a single IP or applying the 'no two people at the same time' rule that you two speak of.


.oO Komodo Dave Oo.

Offline

Board footer

Powered by FluxBB