阻止用户与多个 IP 共享帐户?
任何人都可以向我提供有关如何将会员区域的用户可以拥有的唯一 IP 数量限制在 5-6 左右的指南/教程。我帮助管理的网站上的许多用户似乎与数十到数百人共享他们的用户名。或者任何人都可以解释我如何针对此实施某种安全措施?
Can anyone point me in the way of a guide/tutorial on how to limit the number of unique IP's a user can have to around 5-6 for a members area. It seems like many users on a site i help manage share their user names with tens to hundreds of other people. Or can anyone explain how i can implement some kind of security against this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
IP 封锁不是解决之道。
考虑同一公司防火墙内的一群用户。当他们浏览网络时,由于代理服务器的原因,他们所有人都将显示为具有相同的 IP 地址。代理服务器负责确保请求/响应到达正确的人。
所以,那是行不通的。
您可以做的是将登录绑定到会话并踢出以前的会话。本质上:
将会发生的情况是,用户 Bob 将登录并获取会话 ID 10。Bob 开始浏览您的站点,一切正常。
然后 Sue 登录(使用 Bob 的凭据)。这会将会话 ID 22 分配给 bob 帐户。她开始浏览该网站。
Bob 发出的下一个请求将被重新验证..并且服务器发现会话 10 不再与 Bob 关联。 Boom:踢到登录屏幕。
鲍勃一边挠着头,一边重新登录。这会分配一个新 ID:30。Sue 的下一个请求会将她踢到登录页面。欢闹随之而来。
只是为了好玩,如果在特定时间段(例如 2 分钟)内将多个会话 ID 分配给同一个帐户,请向存档的电子邮件地址发送一条消息,表明其帐户可能已被黑客入侵。甚至可能关闭该帐户,同时要求他们通过单击电子邮件中的链接重新确认该帐户是否正常。让他们立即更改密码。
有两件事将会发生。首先,许多用户会抱怨(有些人并不羞耻).. 请务必对如何使用这种奇特的新安全功能保护他们有一个友好但坚定的回应。不要在这件事上让步。
第二件事是所有这些匿名用户都将获得自己的帐户(或消失)。原因是仅仅因为他们共享密码而被踢出网站并不是一件好事。如果我理解正确的话,这就是期望的行为。
有趣的是,这与 GoToMeeting 等公司的工作方式类似。如果用户帐户当前正在主持会议,然后该帐户在其他地方登录,则原始会议将终止。相当有效。
IP blocking isn't the way to go.
Consider a bunch of users inside the same corporate firewall. When they browse the net ALL of them will appear to have the same IP address due to a proxy server. The proxy server is responsible for making sure the requests/responses get to the right people.
So, that won't work.
What you can do is tie logins to sessions and kick out the previous ones. Essentially:
What will happen is that user Bob will login and get session ID 10. Bob starts browsing your site and everything is A-OK.
Then Sue logs in (with Bob's credentials). This assigns session ID 22 to the bob account. She starts browsing the site.
The very next request that Bob issues get's revalidated .. and the server sees that session 10 is no longer associated with Bob. Boom: kicked to the login screen.
Bob logs back in while scratching his head. This assigns a new ID: 30. The next request from Sue kicks her to the login page. Hilarity ensues.
Just for kicks, if a few session ids are assigned to the same account within a certain period of time (like 2 minutes) send a message to the email address on file that their account might have been hacked. Potentially even shut off the account while asking them to reconfirm, via clicking a link in the email, that the account is good. Make them change the password right then.
Two things are going to happen. First, a number of users will complain (some people have no shame).. be sure to have a nice, but firm, response about how you are protecting them with this fancy new security feature. Don't budge on it.
The second thing is that all of those anonymous users will get their own accounts (or go away). The reason is that being kicked out of the site just because they shared the password is not a good thing. Which, if I'm understanding correctly, is the desired behavior.
Interestingly, this is a similar design to how some companies, like GoToMeeting work. If a user account is currently hosting a meeting AND then that account logs in somewhere else then the original meeting is terminated. Pretty effective.
我要做的是创建一个数据库表来存储用户 ID、使用的 IP 地址以及查看 IP 的日期。像这样的事情:
然后在你的 php 中计算相关用户当天有多少个 IP。如果超过 5 个,则阻止该用户。
不过,阅读刚刚发布的一些答案后,我会同意克里斯·莱弗利的回应,因为这是一个更好的解决方案。
What I would do is create a database table that stores the userId, IP address used and date that IP was seen. Something like this:
Then in your php count how many IPs the user in question has for the current day. If more than 5, block the user.
Though, reading some of the answers just posted I would go with Chris Lively's response as it is a better solution.