Dan Trainor wrote: > I'm pretty aware of how it all works. However, the problem lies in the > fact that because most of the pre-installed billing software relies > solely on .htaccess/.htpasswd-based authentication, it's not possible to > just change the whole login system. For the most part, they're still > using privative means of authentication which are broken to begin with. I believe that you could, perhaps, consider using PHP after the existing .htaccess/.htpasswd authentication to provide a secondary test, without disturbing the billing software setup. The steps involved are: HTTP Request .htaccess/.htpasswd Challenge/Response, drives billing software PHP $_SERVER['HTTP_AUTH_USER']/$_SERVER['HTTP_AUTH_PW'], drives abuse check No need for anything as fancy as an extension. If somebody is abusing/sharing a password, they still should get billed up to the point of account termination, right? Whatever you would do in this extension would have to still interface to the .htaccess/.htpasswd system to alter billable status -- Which you can probably do far easier in PHP anyway. PHP could generate a list of accounts that are suffering suspicious activity, which could be provided to the billing software in whatever manner they desire, really. You also have the advantage that it's a LOT easier to [find somebody to] write, test, and debug a PHP script than an extension. You'll also be able to more easily run tests in parallel with a "live" site but without any real action really being taken until it's all proven and reviewed and tested thoroughly. That's gonna be a lot tougher with an extension whose C code is burned into the Apache binary, or even as a loadable Module of compiled C code. You can track a variety of factors such as IP, some unchanging browser headers, login time, page surfing, http_referrer, etc and watch for patterns from abusive accounts. You can't rely on IP address directly, but if the same account is given three different IP addresses in IP-space *known* to be owned by three different ISPs, then you've got a pretty sure bet it's an abuse. You'll need a ton of reverse DNS or dns-by-country lookups and caching, but it's do-able. Analyze the hell out of a few months' worth of old data, and/or start logging live data and look for the patterns. Come up with a formula for an "abuse factor scorecard" and then implement a log with PHP of what you *WOULD* do with this account, and see if you like the results. Change the formula, log some more, watch for awhile. The bottom line, though, is that you *HAVE* to "interfere with the pre-existing authentication system" at *SOME* point in order to kick users off -- Or else always have a human review of the evidence before action. Either way, PHP is probably a cheaper/better solution than a dedicated module, at least unless you find out that the formula for calculating a user's score takes *sooo* long and is so complicated that PHP can't do it fast enough -- Even then, I'd bet the time-sink is in things like DNS data (cache it) and in logging, not the actual calculation. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
