#1
  1. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,189
    Rep Power
    220

    Limiting user access to the site by $_SERVER['REMOTE_ADDR']


    Hi;

    We got a membership site I notice some guys share their email to log in.

    Like 4 people share 1 email. Can you believe that?

    I am just gonna make it harder for them and do what Ontraport does.

    So I am gonna store user's ip and if next time log was not the same as the last time log, I'll show the message

    You seem to be logging from a different machine! For security reasons please check your email and click conrim to continue.
    Can I rely on $_SERVER['REMOTE_ADDR'] to check the ip?

    Thanks


    Edit:

    This is the part of the code that does that:
    PHP Code:
    //Insert log data to login_logs
    $sql "SELECT * FROM login_log WHERE email = ? AND status = 'success' ORDER BY id DESC";
    $query_log $this->db->query($sql, array('email' => $_POST['email']));
            
    $status "success";
    if(
    $query_log->result_array()[0]['ip']!=$_SERVER['REMOTE_ADDR'])
        {
            
    $status 'failed';
        }
         
    $data = array(
    'ip' => $_SERVER['REMOTE_ADDR'],
    'email' => $_POST['email'],
    'date_logged' => date('Y-m-d'),
    'status'=>$status
    );    

    $this->db->insert('login_log'$data);        
    if(
    $status=='failed')
        {
            
    $this->load_views(2);        
        }
    else     
        {
            
    $newdata = array(
            
    'username'  => $query->result_array()[0]['username'],
            
    'email'     => $query->result_array()[0]['email'],
            
    'member_id'     => $query->result_array()[0]['id'],
            
    'logged_in' => TRUE
            
    );
            
    $this->session->set_userdata($newdata);
            if(isset(
    $_SESSION['current_url']))
                {
                    
    $redirect=$_SESSION['current_url'];
                }
            else 
                {
                    
    $redirect base_url();
                }    
            
    redirect($redirect);
        } 
    Thanks
    Last edited by English Breakfast Tea; August 15th, 2017 at 04:18 AM.
  2. #2
  3. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,333
    Rep Power
    9645
    Originally Posted by English Breakfast Tea
    Like 4 people share 1 email. Can you believe that?
    Oh, sure. It happens a lot. Even Hulu and Netflix have acknowledged that people share accounts, even if they're not supposed to.


    The REMOTE_ADDR:
    - Will always be a valid IP address. Probably IPv4 (12.34.56.78) but your code needs to work for IPv6 (the one with colons) too.
    - Can be spoofed by a user, but they can only send requests to a site - not receive any responses back. So you can use it to vary output shown to a user but don't rely on it for performing an action.
    - Will be the same for all users behind a NATing device, like your typical home router. Businesses and especially schools often have one too. The device could use a range and not just one address, too. Point is you cannot assume one IP address corresponds to one person or computer. You also cannot assume one person uses one IP address, even over a short time period.

    So yes, you can rely on it to get an IP address, but no, you cannot rely on it to associate one account with one person.

    Originally Posted by English Breakfast Tea
    I am just gonna make it harder for them and do what Ontraport does.
    Try not to alienate your legitimate users along the way. Mobile users might come to hate your site if you keep kicking them out when they're moving around.
  4. #3
  5. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,189
    Rep Power
    220
    Yeh, I understand some users will be upset. I am gonna make sure they stay logged in for long so they don't have to log in every time.

    I actually told Ontraport to remove this feature from all my accounts :0

    How does this look as the next step?

    The unlock link:

    Code:
    <?php echo base_url('unlock-ip/'.html_escape(base64url_encode($email)));?>
    PHP Code:
    class Unlock_ip extends CI_Controller {

        public function 
    unlock($email=0)
            {
                if(
    $this->validate($email))
                    {
                        
    //Send the email with unlock link and show on screen they should check email
                    
    }
                else 
                    {
                        echo 
    "Invalid request";exit();
                    }        
            }    
        public function 
    validate($email=0)
            {
                if(
    $email==0)
                    {
                        return 
    false;
                    }
                else 
                    {
                        
    $sql "SELECT * FROM login_log WHERE email = ? ORDER BY id DESC";
                        
    $query_log $this->db->query($sql, array('email' => $_POST['email']));
                        if(
    $query_log->status=='failed')
                            {
                                return 
    true;
                            }    
                        else 
                            {
                                
    //Redirect to login page
                            
    }    
                    }    
            } 



    I know its not perfect but it does the job. As long as I haven't messed up big time.

    Here is what OP send their customers. They are in top 500 fastest growing businesses in the US (or the world). I thought what the heck... I'll use their model.
    Code:
    A request has been made to grant access to your ONTRAPORT account from a new IP address.
    
    If you did not initiate this request, you should consider changing your ONTRAPORT password. Please contact support if you think your account has been compromised.
    
    If you initiated this request, go ahead and visit the link below to authorize your IP address. This link is valid for one hour.
    https://app.ontraport.com/AuthorizeIp/add?user_id=1&ip=***.***.***.**&hash=%242a%2408%24g0yVr2ifQEMUWv6y0qMgUuw72odgboU9AD04Vr7Zc5OoJ6kXsbvbW&expire=1478732460&aid=my_user_id
    Last edited by English Breakfast Tea; August 15th, 2017 at 06:00 AM.
  6. #4
  7. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,333
    Rep Power
    9645
    Not quite sure how that controller will be involved or where various links will go, but really just whatever works.
  8. #5
  9. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    6,079
    Rep Power
    4101
    I wouldn't use ones IP address. I'd instead register a user's "devices" by storing a long-term cookie or localStorage item with a random identifier (different than your session identifier). So long as the user is using the same browser/device they will not be bothered even if their IP changes day to day or minute to minute. They would only have to re-verify if they clear their cookies, which I think is something most people would be used to, and it'd be a consequence of an action they specifically took rather than random chance.

    IPv6 makes IP tracking even less workable because it has privacy built-in and will re-generate your IP periodically just to change it.
    Recycle your old CD's



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  10. #6
  11. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,189
    Rep Power
    220
    Originally Posted by kicken
    I wouldn't use ones IP address. I'd instead register a user's "devices" by storing a long-term cookie or localStorage item with a random identifier (different than your session identifier). So long as the user is using the same browser/device they will not be bothered even if their IP changes day to day or minute to minute. They would only have to re-verify if they clear their cookies, which I think is something most people would be used to, and it'd be a consequence of an action they specifically took rather than random chance.

    IPv6 makes IP tracking even less workable because it has privacy built-in and will re-generate your IP periodically just to change it.
    This whole thing can become complex very fast.

    What you say makes sense and probably is a better solution too.

    I got 2 weeks to launch this product. We got 400 potential buyers who have pre signed up.

    The product is from $197-$497.

    Some good money on the table.

    If we don't launch it on time, we lose some of the sales. Right now really need to make some $$$ haha

    I still have to code the content drip and connect this to a payment system and set installments working with Ontraport api.

    I am gonna follow Ontraport's decision and go with the he current solution.

    I am pretty sure we're safe based on what Requinix said. Unles I've done some retarded move.

    Thanks for the tips.

IMN logo majestic logo threadwatch logo seochat tools logo