Re: Multiple Login in a single PC should not be possible

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-05-15 at 11:50 +0100, Lester Caine wrote:

> This was bounced back to the list because of the php crap of needing to use 
> 'reply all' - I SHOULD have used 'reply' in this case as jagdeep's email was to 
> ME, but I automatically 'reply all' and replace return address with the list 
> email to kill off all the extras!
> 
> Ashley Sheridan wrote:
> > On Sat, 2010-05-15 at 08:18 +0100, Lester Caine wrote:
> >> Jagdeep Singh wrote:
> >> >  How can I define"Machine"?
> >>
> >> That IS the problem. As with a lot of this stuff - nothing was ever actually
> >> DESIGNED to work :( So $_SERVER["REMOTE_ADDR"] will block multiple machines if
> >> they are sharing the one connection. I've been lucky so far in that
> >> 'REMOTE_ADDR' CAN be resolved to a machine in my own case.
> >>
> >> This like 'tzoffset' is an area where the simplest basic functions actually need
> >> to be fixed. If you are working cross timezones have you considered the problem
> >> of knowing the right time where daylight saving is important. My users have to
> >> set their correct daylight saving zone in their profile. 'tzoffset' is no use.
> >>
> >> Both of these are areas that need fixing?
> >>
> >> ( As an aside ... some schools are now using 'virtual' desktops, so several
> >> pupils may WELL be working on the one 'virtual server' but each in their own
> >> sessions. This makes it impossible to identify the individual users as well )
> 
> > I explained off-list how you could do this. Create a hash of the
> > machines IP and browser with the username of the logged in user:
> >
> > md5($ip . $browser . $username);
> >
> > And store that in the database when they log in. Now each time they
> > perform an action, create a hash from those same bits of information
> > again and check it against the one created when they logged in.
> 
> We have already identified that THIS will not work is this case. It is not 
> unreasonable to want to restrict the number of users on a single machine. So you 
> keep the machine use separate to the user login ... AS STATED the problem is 
> identifying a machine in the first place.
> 
> > You can't access their Mac address. Many people on the list have
> > explained that to you now. I'm not sure why an e-learning module needs
> > such strict requirements, as it's perfectly valid that a user might want
> > to use more than one browser at a time.
> 
> It is also not unreasonable that one may want to restrict access to something in 
> the way specified. If one is RUNNING on-line testing, then having the answers 
> open in another browser is something that it might be nice to block ;) Because 
> the simple matter of uniquely identifying a machine on the internet IS 
> impossible currently then we have to come up with some other way of blocking 
> things, but to be honest. On-line testing is a silly idea anyway since there are 
> many ways of cheating that even these locks would not prevent ;) In my own case, 
> restricting a machine to a single user is essential and I simply need to block 
> other users when the machine is 'in use'. $_SERVER["REMOTE_ADDR"] is internal to 
> the intranet so no problem.
> 
> Personally I think the demands from the 'privacy' camp is simply playing into 
> the hands of the criminals. EVERY machine should report it's ID and this can 
> then be used to kill off the con men. Perhaps when IPv6 is in full use then 
> every computer can be uniquely identified? THEN $_SERVER["REMOTE_ADDR"] will 
> work properly .... we just have to ensure that 'cloaning' of ID's is always 
> flagged in transit.
> 
> -- 
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk//
> Firebird - http://www.firebirdsql.org/index.php
> 


I see exactly the issue you have now, and there's no way round it. You
can't identify a single machine in the way you want.

Maybe you could restrict access to test answer materials to a user who
is logged in, and then lock them out when a test is in progress for
their username. That way, you don't have to identify a machine at all
(what's to stop someone from opening up a laptop next to their main
computer to circumvent your 'security' anyway?) and the only way they
can access both course materials and the test is with two sets of login
credentials.

Thanks,
Ash
http://www.ashleysheridan.co.uk



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux