I agree with Mikey on the "live and let live" side of things. This forum is about sharing technical knowlege and helping other users overcome technical challenges relating to PHP. Yeah, a site that's "adult oriented" is most likely a pay site. Doesn't mean they make money, but assuming they made boat loads of it, then yeah, they should look into paying for a solution instead of finding or conning someone into making a freebie solution. Ultimately, if they're making the kind of money that would make us have no sympathy for them, then they're making the kind of money that $350 isn't going to matter one way or another. It's not like "Muuahahahah.. we saved $350 by using free software, we're even richer now!" it's more like "Well, that's 50% off this month's hosting fees.. big deal". But all of that deals with moral and personal issues. The meat of this discussion is "How do I make sure that someone isn't sharing their login with the world". Here are some thoughts: Many BitTorrent sites that monitor U/D ratios seem to use a fairly universal system that seems to involve logging into the site, your IP address is recorded in the database as belong to that account. If you log in from a different computer (which users should be able to do to some degree), it'll record THAT IP address in the database too. I don't know their criteria (probably fairly loose compared to what a pay site would want) but the issue here is more about how many CONCURRENT connections under that account are occurring. So let's say the criteria would be "A user logs in and their IP address is recorded. They can have as many IP addresses attached to that account as they want BUT they can't have XX number of IP addresses connect within YY minutes or we consider it a pattern of login sharing." So if you have someone who gets an account and shares it with a single friend, it probably won't trip the alarms. But really, is that such a big deal compared to someone posting their login info on a message board and 1000 people trying to use it at once? A single person, or a person and a friend or two, aren't going to be logging in from 150 IP addresses within 5 minutes. And that's really what you're trying to prevent. The wholesale sharing of a login, not little petty sharing. So it doesn't have to be a perfect system. No need for retinal scans or anything. Just preventing large scale abuse. Which seems pretty simple to me espcially in the case of "adult oriented" sites since their logins will either be used properly (or at least reasonably) or they'll be abused to hell. Now if you take a site like Consumer Reports or the Encyclopedia Britanica, that's a little more difficult. 1000 people aren't going to be logging in rapid-fire if it's shared. But you might get 5 or 6 a time if it's shared improperly. So you just set the threshhold a little lower. Maybe do something like block the person and make it say something like "This account is being used by too many sources at once. If this happens too many times, the password will be reset and the new password will be emailed to the legitmate owner of the account. If you received this message in error, please try back in 5 minutes. If you continue to receive this message, please contact our technical support team at XXXX@xxxxxxxxxx" That'll discourage people from sharing since they'll get locked out of their own account. It provides incentive not to share without being too harsh about it and provides the legitmate owner a way to get in even if someone else stole and/or is abusing their account. People who are abusing or using a stolen account probably won't have access to the original account holder's email account and if the owner is sharing with some friends, they can still share but have incentive not to share TOO much. See? None of this is impossible or even implausible and I don't see it as off topic at all. It's a good discussion with legitmate purpose, even if it is for an 'adult oriented' site. -TG = = = Original message = = = [snip everything irrelevant] On a tehnical note, I don't really see how you can prevent this sharing of logins. This is something I was actually looking into for a site that had nothing to do with pr0n (would love to know where that came from, it seems so universal now). If you read up on the general issues surrounding client identification (http://phpsec.org) it is pretty much impossible to come up with a solution of uniquely identifying a specific browser session that will work in all instances. And really, this is what you are trying to get at isn't it? Uniquely identifying your clients. The only non-technical solution I can offer you is that you change the passwords for each person as they login. This would make people much more reluctant to shre their account as they would not be able to access their own account as soon as someone else logs in with it. Of course, people aren't gonna like have to remember all the different passwords but I think it helps with your problem. As for the rest of this whole thread, I think we should all be a little more "live and let live" about this. So you don't like pr0n? So what? I know a lot of people who do (not so much myself, am more of a doer) but I don't think it makes them bad people. I also happen to know that not all pr0n is about exploitation. Some is, of course, and I'm sure that even Dan would agree that this is not good - if anyone had bothered to find out in the first place. I'm not trying to invite more flaming here - there have been some very valid points made, I just hope this thread can die a quick and silent death not that the technical issue has been addressed. Mikey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php