Forum OpenACS Q&A: subscriber model

Collapse
Posted by Matthew Terenzio on
Does anyone know of an effective way to keep non-subscribers from
gaining access to certain publishings? Obviously you can't stop
someone from sharing their username and password. But can you bump
them off if there is more than one log-on? Any other tricks to
control multiple persons using the same name and password?
Collapse
Posted by S. Y. on
You wrote: "Does anyone know of an effective way to keep non-subscribers from gaining access to certain publishings?"

While I don't know anything about recent versions of OpenACS (you don't mention what version you want to know about), ACS Classic (Tcl) has had this feature pretty much since the very beginning (well, at least since autumn 1999). There should be a Tcl proc at the top of /home/pvt.tcl that does this (forces you to be registered and logged in). Posting a reply to the bboard requires this too (registered and logged in).

The same thing goes with /shared/community-member.tcl. If you're not logged in, you don't get to see the user's e-mail address. This is one of the fundamental concepts of the ACS and is probably mentioned in Philip's books.

Collapse
Posted by Matthew Terenzio on
Thanks Sean, but the question was intended to address multiple users using the same login. Can we effectively stop users of a pay-per-view sytem from sharing a  password. Like bumping or denying access if that username is already logged in. Or have I missed out on the fact that this is already a feature, I did read the book a couple of times!
Collapse
Posted by Yon Derek on
That doesn't seem so hard but might annoy users.

Conceptually:

  • you need to force the user to log-in. That's obvious and is built-in in ACS. That basically mean that you send a token encoded in a cookie from which you can get the id of the user (user_id)
  • then you need to generate a unique session id and encode it in a cookie as well; I don't know if there is any support for this built-in into ACS
When a user logs in you generate session id and insert (user_id, session_id) into a database. Upon (explicit) logout you remove this pair. Upon new login you'll check if there is another session for a given user_id. If not - fine. If yes it means that there are two sessions in progress. Of course it doesn't really mean that the user shares a password. Maybe he logged in at work, didn't log out (explicitely), came back home and logged in from a different computer.

There's also a question: what to do when you detect session sharing. You can silently drop the previous session which is ok for the above scenario (the same person logging on from different computers; he won't even notice). This would annoy the password-sharing scenario because two people couldn't access this paid service at the same time. They could, however, access it if their usage hours are not overlapping. There's no good way to prevent that. You can log the IPs from which any given user logs in and if you detect a suspicious pattern (e.g. he logs from 5 different IPs every day, sometimes from 2 different IPs at the same time) and make a call on banning such user. But you cannot automate that very well.

Also each protection technology has a trade-off: you want to deter the (probably few) bad guys without annoying (probably a majority) of good guys (paying customers). In this particular case the second part will be very hard to achive so overall any effort to protect might not be worth it.

As an side note: it seems like Apple has something like that as part of their developer program (you have to sign up for that and login to get the tools etc.). I just logged in second time today and they detected a second session. I guess Apple went for "silently dropping previous session" since I don't have any problems accessing the site because of that.

Collapse
Posted by S. Y. on
Oh, I get it. ACS Classic never had this feature; I guess someone else more familiar with OpenACS will tell you if it's a part of the current toolkit, but I haven't seen any comments/talk about such a beast.

It might be rather tricky to figure out how to gracefully deal with people who don't explicitly log out. If a user has a couple of computers, login accounts, etc. how does one determine which user session is the "valid" one? The first? Worse, this scenario sounds rather annoying for the end user.

Collapse
Posted by Matthew Terenzio on
So is the user session controlled by the cookie? If that's the case can't I just have the session expire when the cookie expires. In other words, set the cookie to expire in two hours and this will force a logout. Of course, this could annoy some people too. But its possible to have the session expire only if there is inactivity for a certain time.
Collapse
Posted by Don Baccus on
The toolkit ([Open]ACS 4) does keep basic session information - the code was written by aD.  So I think you could probably put together code to give you the kind of control you're looking for.  There's not built-in, direct support for it though.
Collapse
Posted by randy saffold on
Like the original poster, I am also interested in login control. In the text above, you speak of cookie use to time out or control user login.  My question is has anyone done this in practice.  We are building a community portal that will be accessed in public libraries and technology access centers.  Novice users will forget to logout and people may post potentially explosive comments in other peoples names.  We are looking to control user login from a slightly different perspective to avoid this.  My apologies if this post should really have gone in a new thread, but you all seemed to be pointing this way.  Does anyone have input or sugestions from this perspective on login control? Thanks if you can give assistance.