PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WP Sharks™. See: new forums @ WP Sharks™

One session per account only

s2Member Plugin. A Membership plugin for WordPress®.

One session per account only

Postby alberto » July 17th, 2010, 2:21 pm

User purchase membership and then share his login and password to all his friends. What is the best way to prevent multiple logins? Can s2member kick previous login session similar to how yahoo messenger handles multiple session?
User avatar
alberto
Registered User
Registered User
 
Posts: 5
Joined: July 7, 2010

Re: One session per account only

Postby Jason Caldwell » July 18th, 2010, 3:43 am

Thanks for the great question.

s2Member has a built-in security system that deals with this issue.
You can also configure its behavior, by logging into your WP Dashboard, under:
s2Member -> General Options -> Unique IP Access Restrictions

As with any membership system, it is possible for one Member to signup, and then share their Username with someone else; or even post it online for the whole world to see. This is known as Link Sharing ( aka: Username Sharing ). It is not likely that you'll be attacked in this way, but it's still a good idea to protect your system; just in case somebody tries this. s2Member's IP Restrictions, work for both Membership Level Access ( account logins ), and also for Specific Post/Page Access.

In both cases, the rules are simple. A single Username, and/or Access Link is only valid for a certain number of unique IP addresses. Once that limit is reached, s2Member assumes there has been a security breach. At that time, s2Member will place a temporary ban ( preventing access ) to a Specific Post/Page, or to an account associated with a particular Username. This temporary ban, will ONLY affect the offending Link and/or Username associated with the security breach.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: One session per account only

Postby alberto » July 21st, 2010, 7:13 pm

Does this also account for different username and same IP address like in a cafe, library, etc.?
User avatar
alberto
Registered User
Registered User
 
Posts: 5
Joined: July 7, 2010

Re: One session per account only

Postby Jason Caldwell » July 22nd, 2010, 9:10 pm

Yes, s2Member takes this into consideration.

s2Member's IP restriction routines are designed to prevent multiple IPs from accessing a single Username. So if there are multiple Users in a cafe ( all on the same IP ), but they are each logging in with different Usernames, that's fine.

However, if there are multiple Users in a cafe ( all on the same IP ), logging into the same account, something is not right; and s2Member will consider this a security breach; based on your configuration.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: One session per account only

Postby gomisha » August 4th, 2010, 12:00 pm

Jason - thanks so much for this feature. I was looking for this very thing and am happy to find that it's already included with S2 (which I've been happily using).

A question about this feature - in the Unique IP Access Restrictions section of the S2 configuration, the least amount of "IPs per customer" that you can select is 2. Does that mean that a user could share his username/password with one other person and they can both be logged in at the same time?
I'm wondering why it can't be as low as 1, since I'd like to prevent users from sharing their usernames/passwords with even 1 other person.

Thank a lot for this great plugin and keep up the great work.
User avatar
gomisha
Registered User
Registered User
 
Posts: 4
Joined: August 4, 2010

Re: One session per account only

Postby Jason Caldwell » August 4th, 2010, 11:14 pm

Excellent question. Thank you.
I'm wondering why it can't be as low as 1

Well. I suppose it could be. I'll consider updating this in a future release. However, the real reason this is NOT an available option; is that it's not likely that anyone would set it to just "1". Most users have at least one computer system, a mobile phone, and possibly a laptop computer. So logging into their account from a friends home, a laptop, or a mobile device is going to require at least 2 unique IPs.

In other words...
~ One unique IP per Customer is likely to result in lots of complaints.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: One session per account only

Postby gomisha » August 5th, 2010, 12:43 pm

OK, I understand, Jason. Thanks for the explanation.
User avatar
gomisha
Registered User
Registered User
 
Posts: 4
Joined: August 4, 2010

Re: One session per account only

Postby Jason Caldwell » August 5th, 2010, 1:38 pm

You're VERY welcome.
Thanks for reporting back.
~ Much appreciated.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: One session per account only

Postby sborsch » August 14th, 2010, 10:54 am

Jason -- Your example of a friend's house, laptop and coffee shop was an interesting one for this reason: in our increasingly always-on and always-connected lives it's highly likely that our members will be logging on from many, many different IPs over the course of their membership.

I bring this up since, IMHO, the confusion people are having over IP allowance is due to the lack of clarity over this: Your IP restriction is for concurrent IP use and not consecutive IP use, is that right?

I'm asking for clarification since the documentation isn't clear and other systems I've used at the enterprise level could restrict to corporate domains or IP address ranges (meaning someone had to be logging on at work or through a company VPN) and even open source downloading solutions could be set for either concurrent or consecutive access to downloadable files.

BTW, I came to S2Member after a sad and lonely adventure with a popular membership commercial plugin that was so laughingly inadequate that when I came to S2Member's well thought out, solid, clear UI and thoughtful explanatory I broke in to a huge grin and shouted, "Yes!!". I'll be upgrading a client to 'Pro' and doing so on one of our sites as well as donating.

Great work on this plugin.
sborsch
Guest User
Guest User
 

Re: One session per account only

Postby Jason Caldwell » August 18th, 2010, 12:03 am

Great to hear this. Thanks for the kudos!
I came to S2Member after a sad and lonely adventure with a popular membership commercial plugin that was so laughingly inadequate that when I came to S2Member's well thought out, solid, clear UI and thoughtful explanatory I broke in to a huge grin and shouted, "Yes!!". I'll be upgrading a client to 'Pro' and doing so on one of our sites as well as donating.

Yes, you are correct. s2Member's IP restrictions are based on an adaptive concurrency of IP addresses accessing a single point of entry. This works across all aspects of s2Member; including Username logins, and all types of encrypted links, such as registration links, Specific Post/Page links, and Download Keys.

I would go ahead and break this down for you here. However, we've already begun working on s2Member v3.2.1, so I'd like to avoid any further confusion on this matter by waiting until the next official release. In the next release, there are plans to tighten IP restrictions a bit further; by breaking them down into a per-IP concurrency timeout, making s2Member more secure against slower attacks that may span a period of several weeks/months. There is also going to be a new Hook/Filter that will give developers more control over the concurrency timeouts. The defaults work fine 99% of the time, but giving developers a Hook to control things further never hurts.

Once those changes are completed, I'll be sure to add further clarification and details about how IP Restrictions are implemented; along with documentation on the new Filter:
ws_plugin__s2member_ip_restrictions__concurrency_time_per_ip

Until then, you can take a look at this file:
/includes/ip-restrictions-ok.inc.php

I'm also attaching /ip-restrictions-ok.inc.php
from the development version that is to be released soon as s2Member v3.2.1.
~ If you/anyone would like to review this future release, please feel free to offer your opinion.
Attachments
ip-restrictions.inc.php.zip
(1.44 KiB) Downloaded 34 times
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: One session per account only

Postby tdub11 » July 25th, 2011, 5:21 pm

hi, jason-
after reading this thread and making some tests it's not clear to me what the default behavior should be. i'm running version 110710.

specifically, can more than one person successfully login to the same account (i.e., use the same username and password) at the same time (whether using the same ip address or a different ip address)?

if the answer is "yes" this is allowed, then what steps can i take to disable this? today i tested simultaneous logins (same user/pw) and it worked (i.e., both sessions were authenticated).

thanks much!
User avatar
tdub11
Registered User
Registered User
 
Posts: 17
Joined: June 22, 2011

Re: One session per account only

Postby Cristián Lávaque » July 27th, 2011, 2:12 am

I just wanted to mention in this thread a couple of plugins I found that seem to prevent simultaneous logins to an account:

https://wordpress.org/extend/plugins/lo ... 1-session/
https://wordpress.org/extend/plugins/single-user-login/
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010


Return to s2Member Plugin

Who is online

Users browsing this forum: Exabot [Bot], Google [Bot] and 3 guests

cron