I want to have a Drupal site which people have to subscribe to to access the content within - a small yearly subscription - no probs so far.
I want to restrict the content to those users that have signed up - this I know I can do through Drupal.
What is the best way, in your experience, to stop people from sharing their log in details (either within Drupal or some other way). What's to stop someone subscribing then sharing their password with someone else etc - and how can I manage this?
Another problem is that we may want to provide entire organisations with one login. So not only will individuals sign up for the service, but organisations/schools/businesses/universities too...
Any thoughts and advice most welcome.
Thanks in advance...
Comments
=-=
nothing stops a user from sharing their screenname and password. Until every single human being is issued a static IP address that never changes, you will always find this a problem.
Okay...
Thanks for the response.
Would it be possible to have it so that once a user is logged into the system - another person with the same username/password would not be able to log in. i.e. a user would only be able to be logged in once at any point in time.
For instance I can log in to my drupal site using the same login details at the same time on 2 computers. Could this be stopped so that once I am logged in on one, if I try and log in on the other I get a message saying 'someone with this username and password is already logged in'.
Is this a stupid idea?
that sounds like a good idea...
and if you could keep track of when this actually happens you could figure out roughly if people are sharing passwords...
i think that at the very least this type of "security" should be set up by default...
looks like there are several solutions already...
http://drupal.org/project/session_limit
and found it here:
http://drupal.org/project/Modules/category/76
hope that helps...
my band's drupal-driven site:
http://NoteToSelfDontDie.com/
Ah, but...
... what if I would have had a boring job at the office and wanted to check the site there. Or if I was at my brother's/sister's/parent's place. I didn't log out at home, because I find it easier just to hop right back in. So, in this scenario, even if I am the sole owner of the account, I could be "accused" of sharing passwords.
Bottomline: I would personally only enforce such a security method if the site contains some really restricted data. In other cases you might end up with some frustrated users.
My two cents.
yeah..
what about the module that logs you out after a certain time with no activity?
heh heh...
Such a module would never
Such a module would never have a place on my site... :)
Thanks for the input
I kind of like the solution suggested :
http://drupal.org/project/session_limit
For private users I could limit them to 3 or 4 sessions, and for large organisations I could limit them to however many they want.
I can understand that the time-out function may be frustrating, but most users would only have open sessions on 1 or maybe 2 computers (home and work)?
Kind of makes sense.
It would suck for me to put alot of effort into creating a site for it to be abused and generate no revenue, so I would like to have some kind of restrictions in place.
...
I also like your final solution but....
I just stumbled on your thread while looking for a way to log the IP address on member signup. (which I've not found just yet) But, in my search I also found this http://drupal.org/project/ip_login which you might be interested in.
Best
Cozmo
Password sharing
I agree with the first poster. The real problem is the dynamic ip assignements. HOWEVER, another idea I heard of was to just tie the username/lpassword information to the persons PERSONAL (credit card, etc) info and place a banner/warning on your site that the login info is tied directly to this PERSONAL info. This will stop some of the account sharing.
That would be a good deterrent...
... to people using your site. ;-)
I doubt many people would want to sign up for a website that openly declared that they would share your financial details with anyone who managed to access your account. Further, I'd not likely want to share my credit card info with any site that I'm not actually buying something from and like to shop around a bit first, so certainly wouldn't likely want to enter credit card details just to "be a member".
Anyway, I'm just building my first Drupal-based site, but was considering the single_login module (till I noticed it doesn't have a current "stable" version), so will likely just use login_security, and logintoboggan along with password_policy and password_strength and use salt for my password hashtable.
See you at the Drupalcon!
Account Sharing
If you still haven't found a solution, I like to point you to http://logineye.com/logineye/public/
They are a third party security solution that enables cloud based businesses to identify login sharing behaviour and stop it.
They uses the same technology as the banking/payment industry to detect fraud. So you can be sure, they can help you with it as well.
You can find out more details on their website.