|
Posted by Richard Lynch on 03/01/05 22:25
Dan Trainor wrote:
> I'm pretty aware of how it all works. However, the problem lies in the
> fact that because most of the pre-installed billing software relies
> solely on .htaccess/.htpasswd-based authentication, it's not possible to
> just change the whole login system. For the most part, they're still
> using privative means of authentication which are broken to begin with.
I believe that you could, perhaps, consider using PHP after the existing
..htaccess/.htpasswd authentication to provide a secondary test, without
disturbing the billing software setup.
The steps involved are:
HTTP Request
..htaccess/.htpasswd Challenge/Response, drives billing software
PHP $_SERVER['HTTP_AUTH_USER']/$_SERVER['HTTP_AUTH_PW'], drives abuse check
No need for anything as fancy as an extension.
If somebody is abusing/sharing a password, they still should get billed up
to the point of account termination, right?
Whatever you would do in this extension would have to still interface to
the .htaccess/.htpasswd system to alter billable status -- Which you can
probably do far easier in PHP anyway.
PHP could generate a list of accounts that are suffering suspicious
activity, which could be provided to the billing software in whatever
manner they desire, really.
You also have the advantage that it's a LOT easier to [find somebody to]
write, test, and debug a PHP script than an extension.
You'll also be able to more easily run tests in parallel with a "live"
site but without any real action really being taken until it's all proven
and reviewed and tested thoroughly. That's gonna be a lot tougher with an
extension whose C code is burned into the Apache binary, or even as a
loadable Module of compiled C code.
You can track a variety of factors such as IP, some unchanging browser
headers, login time, page surfing, http_referrer, etc and watch for
patterns from abusive accounts.
You can't rely on IP address directly, but if the same account is given
three different IP addresses in IP-space *known* to be owned by three
different ISPs, then you've got a pretty sure bet it's an abuse.
You'll need a ton of reverse DNS or dns-by-country lookups and caching,
but it's do-able.
Analyze the hell out of a few months' worth of old data, and/or start
logging live data and look for the patterns.
Come up with a formula for an "abuse factor scorecard" and then implement
a log with PHP of what you *WOULD* do with this account, and see if you
like the results.
Change the formula, log some more, watch for awhile.
The bottom line, though, is that you *HAVE* to "interfere with the
pre-existing authentication system" at *SOME* point in order to kick users
off -- Or else always have a human review of the evidence before action.
Either way, PHP is probably a cheaper/better solution than a dedicated
module, at least unless you find out that the formula for calculating a
user's score takes *sooo* long and is so complicated that PHP can't do it
fast enough -- Even then, I'd bet the time-sink is in things like DNS data
(cache it) and in logging, not the actual calculation.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|