Posted by Richard Lynch on 03/01/05 22:25

Dan Trainor wrote:
> I'm pretty aware of how it all works. However, the problem lies in the
> fact that because most of the pre-installed billing software relies
> solely on .htaccess/.htpasswd-based authentication, it's not possible to
> just change the whole login system. For the most part, they're still
> using privative means of authentication which are broken to begin with.

I believe that you could, perhaps, consider using PHP after the existing
..htaccess/.htpasswd authentication to provide a secondary test, without
disturbing the billing software setup.

The steps involved are:

HTTP Request
..htaccess/.htpasswd Challenge/Response, drives billing software
PHP $_SERVER['HTTP_AUTH_USER']/$_SERVER['HTTP_AUTH_PW'], drives abuse check

No need for anything as fancy as an extension.

If somebody is abusing/sharing a password, they still should get billed up
to the point of account termination, right?

Whatever you would do in this extension would have to still interface to
the .htaccess/.htpasswd system to alter billable status -- Which you can
probably do far easier in PHP anyway.

PHP could generate a list of accounts that are suffering suspicious
activity, which could be provided to the billing software in whatever
manner they desire, really.

You also have the advantage that it's a LOT easier to [find somebody to]
write, test, and debug a PHP script than an extension.

You'll also be able to more easily run tests in parallel with a "live"
site but without any real action really being taken until it's all proven
and reviewed and tested thoroughly. That's gonna be a lot tougher with an
extension whose C code is burned into the Apache binary, or even as a
loadable Module of compiled C code.

You can track a variety of factors such as IP, some unchanging browser
headers, login time, page surfing, http_referrer, etc and watch for
patterns from abusive accounts.

You can't rely on IP address directly, but if the same account is given
three different IP addresses in IP-space *known* to be owned by three
different ISPs, then you've got a pretty sure bet it's an abuse.

You'll need a ton of reverse DNS or dns-by-country lookups and caching,
but it's do-able.

Analyze the hell out of a few months' worth of old data, and/or start
logging live data and look for the patterns.

Come up with a formula for an "abuse factor scorecard" and then implement
a log with PHP of what you *WOULD* do with this account, and see if you
like the results.

Change the formula, log some more, watch for awhile.

The bottom line, though, is that you *HAVE* to "interfere with the
pre-existing authentication system" at *SOME* point in order to kick users
off -- Or else always have a human review of the evidence before action.

Either way, PHP is probably a cheaper/better solution than a dedicated
module, at least unless you find out that the formula for calculating a
user's score takes *sooo* long and is so complicated that PHP can't do it
fast enough -- Even then, I'd bet the time-sink is in things like DNS data
(cache it) and in logging, not the actual calculation.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]