Expanding on the allow only one session per user suggestion. Don't warn subsequeint users that they can not log in because the username and password are currently on the system. Log out any earlier users. This has the benifit that if somebody got kicked out due to crashing browsers or what not, they can log in without having to wait for some session values to time out. It also gets clear pretty quick that if a bunch of people are trying to use the system with the same UN and PW, they aren't going to last long before they are kicked of by the next person doing this. Of course you will have a simple way for a user to change this if their UN and PW has been leaked and they start to suffer this problem. Finally, you can log this kind of activity for later review and action if necessary.
Now, how you actually do any and all of this, I will leave up to my more expierenced collegues. I've never actually had to do this, so these are just thoughts I've had for a someday case. Ian Skinner Ewok wrote: >First, yes you can allow only one session per user account. Just check the >current active sessions for the username that is attempting to log in. As >for keeping users from sharing that information, I can think of one way off >the top of my head. > >Make the users billing information viewable only to them when they log in >under sort of a "profile" section. Billing address, phone numbers maybe even >their cc if the server is secure enough (don�t yell at me). > >If you were using a "recurring billing" method for monthly membership fees, >it would be justifiable to have this info and a section where the user can >update their billing it. > >That's not the kind of information users give out very often. I'm just >rambling off my first thoughts on it. The chances of a better idea are very >good from this list though. > >cheers > >-----Original Message----- >From: muzl hed [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 11, 2005 3:50 PM >To: CF-Talk >Subject: Preventing password sharing on a membership site > >I have a client with a paid membership site who recently saw a member post >their login information on a public news group. > > > >Anybody have a suggestion as to how to stop people from sharing passwords? >Is there a practical way to prevent multiple people from logging in with the >same username/password simultaneously? Any best practices advice would >certainly be appreciated. > > > >--------------------------------- >Do you Yahoo!? > The all-new My Yahoo! � Get yours free! > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Protect Your PC from viruses, hackers, spam and more. Buy PC-cillin with Easy Installation & Support http://www.houseoffusion.com/banners/view.cfm?bannerid=61 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190046 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
