|
|
Posted by J.O. Aho on 11/22/05 09:55
Freebird wrote:
> Tks a lot man,
>
> I'll explain it better now,
>
> I work for this company, and they sell softwares and scripts.
>
> I've done a script for them, that people will download for free(no
> registration required), that means, that the script I did will run in many
> different servers, sometimes, even run on windows OS, at localhost(that
> means, no domain).
>
> The script is free, but there's one feature inside that is payed, it works
> like this:
>
> Seller is the Server A
> Users that downloaded the script, I'll call them Server B
>
> If the user from Server B decides to subscribe to the payed feature, he will
> fill a form on Server B, this form will connect to Server A and register his
> name, password and domain on a txt file.
>
> So, next time the user from Server B wants to use that payed feature, all he
> will do is insert his password and username(on Server's B form), click in
> the button Login, and the script from Server B will go to Server A and
> verify if the username and passwords are ok, if so, allow them to update a
> list, that stays inside server A.
>
> It works great, but if he gives that password to another user from another
> place, the password will work also for this user that didn't pay for the
> service, and that can't happen.
>
> So, I need a way to know for sure, that the client from Server B is using
> that password ONLY from his Domain, or that he's using the same machine, or
> whatever he did when he subscribed, something that's uniq in one server.
>
> I can't use JS for that. =/
>
> Hope it's not that confusing, tks in advance
This time it's a lot more clear.
If the person gives away his login/password, they can give away their login
pages, so even if you could trust the HTTP_REFERER, which in most cases would
have given a a localhost address, which wouldn't have been specially unique.
Everything that the browser sends about itself can either be turned off or
spoofed.
One thing you could do, is to register the ip-number and see who is owns that
span and then limit the user to that provider, with a special page where they
can visit your server and register a new provider (and in the process
unregister the previous one).
Check Amercia based:
whois -h whois.arin.net <ipnumber>
Check Asia/Oceania based:
whois -h whois.apnic.net <ipnumber>
Check Europe & Middle East based:
whois -h whois.ripe.net <ipnumber>
Check Latin American & Caribbean based:
whois -h whois.lacnic.net <ipnumber>
Check Africa based:
whois -h whois.afrinic.net <ipnumber>
This is the best verification I can think of, as the ip is something that you
always will get, of course people could use proxies to make them selves
anonymous and in those cases there could be a risk that they give away the
login/pass and let friends to login via the proxy.
//Aho
Navigation:
[Reply to this message]
|