Page 1 of 1

One session per account only

PostPosted: July 17th, 2010, 2:21 pm
by alberto
User purchase membership and then share his login and password to all his friends. What is the best way to prevent multiple logins? Can s2member kick previous login session similar to how yahoo messenger handles multiple session?

Re: One session per account only

PostPosted: July 18th, 2010, 3:43 am
by Jason Caldwell
Thanks for the great question.

s2Member has a built-in security system that deals with this issue.
You can also configure its behavior, by logging into your WP Dashboard, under:
s2Member -> General Options -> Unique IP Access Restrictions

As with any membership system, it is possible for one Member to signup, and then share their Username with someone else; or even post it online for the whole world to see. This is known as Link Sharing ( aka: Username Sharing ). It is not likely that you'll be attacked in this way, but it's still a good idea to protect your system; just in case somebody tries this. s2Member's IP Restrictions, work for both Membership Level Access ( account logins ), and also for Specific Post/Page Access.

In both cases, the rules are simple. A single Username, and/or Access Link is only valid for a certain number of unique IP addresses. Once that limit is reached, s2Member assumes there has been a security breach. At that time, s2Member will place a temporary ban ( preventing access ) to a Specific Post/Page, or to an account associated with a particular Username. This temporary ban, will ONLY affect the offending Link and/or Username associated with the security breach.

Re: One session per account only

PostPosted: July 21st, 2010, 7:13 pm
by alberto
Does this also account for different username and same IP address like in a cafe, library, etc.?

Re: One session per account only

PostPosted: July 22nd, 2010, 9:10 pm
by Jason Caldwell
Yes, s2Member takes this into consideration.

s2Member's IP restriction routines are designed to prevent multiple IPs from accessing a single Username. So if there are multiple Users in a cafe ( all on the same IP ), but they are each logging in with different Usernames, that's fine.

However, if there are multiple Users in a cafe ( all on the same IP ), logging into the same account, something is not right; and s2Member will consider this a security breach; based on your configuration.

Re: One session per account only

PostPosted: August 4th, 2010, 12:00 pm
by gomisha
Jason - thanks so much for this feature. I was looking for this very thing and am happy to find that it's already included with S2 (which I've been happily using).

A question about this feature - in the Unique IP Access Restrictions section of the S2 configuration, the least amount of "IPs per customer" that you can select is 2. Does that mean that a user could share his username/password with one other person and they can both be logged in at the same time?
I'm wondering why it can't be as low as 1, since I'd like to prevent users from sharing their usernames/passwords with even 1 other person.

Thank a lot for this great plugin and keep up the great work.

Re: One session per account only

PostPosted: August 4th, 2010, 11:14 pm
by Jason Caldwell
Excellent question. Thank you.
I'm wondering why it can't be as low as 1

Well. I suppose it could be. I'll consider updating this in a future release. However, the real reason this is NOT an available option; is that it's not likely that anyone would set it to just "1". Most users have at least one computer system, a mobile phone, and possibly a laptop computer. So logging into their account from a friends home, a laptop, or a mobile device is going to require at least 2 unique IPs.

In other words...
~ One unique IP per Customer is likely to result in lots of complaints.

Re: One session per account only

PostPosted: August 5th, 2010, 12:43 pm
by gomisha
OK, I understand, Jason. Thanks for the explanation.

Re: One session per account only

PostPosted: August 5th, 2010, 1:38 pm
by Jason Caldwell
You're VERY welcome.
Thanks for reporting back.
~ Much appreciated.

Re: One session per account only

PostPosted: August 14th, 2010, 10:54 am
by sborsch
Jason -- Your example of a friend's house, laptop and coffee shop was an interesting one for this reason: in our increasingly always-on and always-connected lives it's highly likely that our members will be logging on from many, many different IPs over the course of their membership.

I bring this up since, IMHO, the confusion people are having over IP allowance is due to the lack of clarity over this: Your IP restriction is for concurrent IP use and not consecutive IP use, is that right?

I'm asking for clarification since the documentation isn't clear and other systems I've used at the enterprise level could restrict to corporate domains or IP address ranges (meaning someone had to be logging on at work or through a company VPN) and even open source downloading solutions could be set for either concurrent or consecutive access to downloadable files.

BTW, I came to S2Member after a sad and lonely adventure with a popular membership commercial plugin that was so laughingly inadequate that when I came to S2Member's well thought out, solid, clear UI and thoughtful explanatory I broke in to a huge grin and shouted, "Yes!!". I'll be upgrading a client to 'Pro' and doing so on one of our sites as well as donating.

Great work on this plugin.

Re: One session per account only

PostPosted: August 18th, 2010, 12:03 am
by Jason Caldwell
Great to hear this. Thanks for the kudos!
I came to S2Member after a sad and lonely adventure with a popular membership commercial plugin that was so laughingly inadequate that when I came to S2Member's well thought out, solid, clear UI and thoughtful explanatory I broke in to a huge grin and shouted, "Yes!!". I'll be upgrading a client to 'Pro' and doing so on one of our sites as well as donating.

Yes, you are correct. s2Member's IP restrictions are based on an adaptive concurrency of IP addresses accessing a single point of entry. This works across all aspects of s2Member; including Username logins, and all types of encrypted links, such as registration links, Specific Post/Page links, and Download Keys.

I would go ahead and break this down for you here. However, we've already begun working on s2Member v3.2.1, so I'd like to avoid any further confusion on this matter by waiting until the next official release. In the next release, there are plans to tighten IP restrictions a bit further; by breaking them down into a per-IP concurrency timeout, making s2Member more secure against slower attacks that may span a period of several weeks/months. There is also going to be a new Hook/Filter that will give developers more control over the concurrency timeouts. The defaults work fine 99% of the time, but giving developers a Hook to control things further never hurts.

Once those changes are completed, I'll be sure to add further clarification and details about how IP Restrictions are implemented; along with documentation on the new Filter:
ws_plugin__s2member_ip_restrictions__concurrency_time_per_ip

Until then, you can take a look at this file:
/includes/ip-restrictions-ok.inc.php

I'm also attaching /ip-restrictions-ok.inc.php
from the development version that is to be released soon as s2Member v3.2.1.
~ If you/anyone would like to review this future release, please feel free to offer your opinion.

Re: One session per account only

PostPosted: July 25th, 2011, 5:21 pm
by tdub11
hi, jason-
after reading this thread and making some tests it's not clear to me what the default behavior should be. i'm running version 110710.

specifically, can more than one person successfully login to the same account (i.e., use the same username and password) at the same time (whether using the same ip address or a different ip address)?

if the answer is "yes" this is allowed, then what steps can i take to disable this? today i tested simultaneous logins (same user/pw) and it worked (i.e., both sessions were authenticated).

thanks much!

Re: One session per account only

PostPosted: July 27th, 2011, 2:12 am
by Cristián Lávaque
I just wanted to mention in this thread a couple of plugins I found that seem to prevent simultaneous logins to an account:

https://wordpress.org/extend/plugins/lo ... 1-session/
https://wordpress.org/extend/plugins/single-user-login/