Hey Ash & all,
Thanks for that detailed explanation.
This is a lot of what I was thinking. Cookies can get deleted,
etc, and all the other things that can toss wrenches into this.
To clarify, they want to limit a single user to two machines
max, but only one at a time.
I'm going to have to explain to them the problems with this
and see what else they can work out.
The manual unlock Ash suggests is interesting, and I'll run
that by them, but I'm thinking they might opt to forgo the
limit for now to avoid risking pissing off new customers with
something that might be more of a hassles for them than it's
worth.
Thanks much for your input. This is a lot of good stuff to
help me articulate a response to the client.
Skip
Ashley Sheridan wrote:
On Sun, 2010-06-06 at 20:31 -0500, Skip Evans wrote:
Hey all,
I'm familiar with setting cookies in PHP and using REMOTE_ADDR
to get a visitor's IP address (or that of their gateway), but
not quite sure how to implement a robust mechanism that would
limit a user to logging in from only two different machines, a
requirement this client has on the project.
I'd greatly appreciate hearing from people who have done this
or something similar, or suggestions people might have that
would give that oh so familiar, "D'oh!" moment.
I have some ideas sketched out, setting cookies, etc, but not
sure how robust they'd be.
Big Thanks!
Skip
--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut
Is this two machines at the same time, or two machines ever?
I don't think there's any way you can guarantee either, unless you
supply them with some form of closed binary that they are forced to use
either instead of or with the browser, i.e. a Java applet, etc.
A similar question to this came up on the list not so long ago, and
there was no real conclusion at the end other than it can't really be
done. Cookies can be deleted, IP addresses change all the time (either
deliberately, by some proxy or even by the ISP itself issuing a dynamic
IP address), even the MAC address (if you found a way to get at it) can
change.
About the only thing I've seen that might help was a device made for the
Bloomberg stock market system, which was a small credit-card sized
object which would read in a random pattern of flashes from the screen
and produce a unique ID number which was then keyed back into the
system. By relying on a physical dongle you can pretty much guarantee
that a user is only on one system, but the project obviously becomes
much more costly and complicated.
If you do go the cookie route, maybe gather a bunch of information to
store on the server against that cookie and the user. If the cookie is
not detected the next time the user goes to log in, maybe force them to
send an email requiring a manual unlock, and make them give a reason for
either why the cookie was removed, or why the computer information has
changed beyond the two computer profiles you've got stored for them.
It's not foolproof, but might show your client why this isn't something
that can be easily done, and is not something that should be decided on
lightly, as there are many valid and genuine reasons why somebody might
want to use more than two computers (i.e. they had a fire and lost those
computers, they rebuilt a computer with a new OS, they upgraded the
computer, a computer was stolen and needed to be replaced, they are away
from their computer and had to use a public access one, etc. The list
can go on and on.)
Thanks,
Ash
http://www.ashleysheridan.co.uk
--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
