This first rule is never trust the client-side. The second rule is never trust the client-side.
This means that relying on... a) the user accepting the cookie b) the user always using the same computer c) the user not deleting the cookie ... is a BAD idea.
Frankly, if you force me to use a single computer to access your site, I'll just leave and never return. I have 3 desktops and a laptop, all of which I use at different times. Telling me I can only use one of them to access your site is like telling me I have to be wearing green socks whilst visiting your site. It should be about MY preference, not yours.
Likewise, you can't tie a member to a mac address, or to an IP address.
I don't really have a solution to your problem, and anything you DO implement will be a pain in the arse to users (otherwise Amazon et al would have already implemented it), but here's some thought starters\ -- all of which are deterrents NOT solutions.
1. Make sure that a user can't login from two different places at once, if the user does, generate an email report of the problem, so that you can keep an eye on users who might be abusing the system.
2. Randomly ask the user an additional question on login (DOB, pet's name, shoe size, postcode, etc) and compare it to Q's asked earlier.
3. Tell them repeatedly that sharing a userid/pass is against your acceptable terms, and that any members caught doing so will have their account closed without refund -- usually the idea of getting caught is a good enough deterrent.
4. Perhaps implement a rolling password system -- if this thing needs to be bullet proof. Each time they login, or once a month, or at random intervals, you could reset their password. Again, this ins't a solution, but it's a deterrent, because the user would have to keep their friends "updated".
Most of the above is guaranteed to frustrate users though. Is your site worth enough to your users to frustrate them? Is the content your protecting really that important? I doubt it :)
Justin
On Friday, October 10, 2003, at 11:44 AM, Manisha Sathe wrote:
Hi,
I have a client. He does not want member login by just giving password and
login id. He says anybody can give this info to his friend and his friend
can access the site.
One way is to make use of cookie on his computer. So only from one computer
he can access the site. But the thing is that user needs to accept it, and i
believe I need to provide some method too in case they delete the cookie.
Is there any other solution for this ? Is there any third party software
for this ?
Regards Manisha
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
--- [This E-mail scanned for viruses]
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
