Multi Login Security Issue

[sarethan]

 I just moved away from wordpress to SMF becuase of a issue that allowed several user to login at the same time. Is this some thing that will be an isssue with SMF? I see that 2 RC4 does this as well and read old post about 1.X doing it. As memberships are attached to the users accounts this is something that would have me searching agin.  Any information would be helpful. thanks.

[Oldiesmann]

What do you mean by "allowed several user to login at the same time"?

[sarethan]

I have a network of about 20 computers and i can sign in on one as root then go to another as root and another and they all work at the same time, i click different things to ensure its not just a old cookie.

[Oldiesmann]

How is allowing one account to be logged in from multiple computers at the same time a security issue?

[sarethan]

Because the membership can be shared. Thus no need for several membership because theoretical everyone could share one.

[sarethan]

security levels and permission hold no bearing if everyone could share one account. If you were to introduce infractions on to accounts for any reason it would also bear no significances because someone could Google a username and pass one was willing to share, heck why wouldn't they if they can use the account at the same time everyone else can. Kind of negates the whole reason for users and passes at all.

[busterone]

I personally do not understand the relevance. It is a discussion forum. Who would want to give out their user name and password to someone else, only to have someone else post on their account, possibly posting offensively and get themselves banned from the forum ? That may happen on extremely rare occasions, but most people who register and participate in an online forum want to get the credit for what they post. (postcount, karma, or simply a conversation with someone)

[sarethan]

Think of this, you have a members subscription...for what? Certain downloads, to view secret information? Access to a program you worte. There are several reason as to why you may have a membership/subscription section. But the fact it you are having people pay to access something. Now lets same they don't want to pay. Well they can trick the board and steal form you by simple using someone elses user/pass to download/access this other content. I personal don't like being taken advantage of so i post this topic on a forums board to see if a fix exist. Not only is there no real talk of a fix but people in general dont seem to mind if they are have given people a way to steal from them. I as agin, why have a subscription section if anyone paid or not can get in?   This is not the only board todo this. WordPress has this issue, i spent last week with that. PHPBB charges for the addon to manage subscriptions, VBulletin in kinda pricey and now i  guess SMF doesn't care.

[Illori]

i dont see there being any way to secure a login like you want. if i switch computers or my ip address changes i still want to be able to log into my forum. SMF has no way built in to stop people from logging in from more then one pc.

[sarethan]

Best i understand it there is a query function to the database to see if the user is logged in already. And if they are they echo or show txt saying that the user is already logged in. Ip's or current pc they are at dont really matter as ips and pc change. But this restricts the board to only allowing 1 of each user to be logged in at a time with making that user suffer any. I just don't know the code to enter.

[Illori]

unlike something like gmail once you are been idle on the forum for a set amount of time you are no longer active there is no way for the forum to know if you have the forum up on some browser and are not actively looking at it. you would be able to tell if someone is logging in from more then one ip address by looking in their profile, otherwise there is no real way to do what you want without trying to rewrite a lot of how the forum works.

[sarethan]

i found this for WordPress but i cant verify it works and i cant seem to get it to. Though maybe there was a similar fix for SMF

Code Select Expand

#Prevent Membership Fraud
//check if someone is logged in
if (isset($_SESSION['user_id'])) {
//connect to your db
require('../../../connect.php');
/*build query using hirer_id and current_session_id, get count. If query comes back with a 1, it means there is a match. A match is good because it means no one else logged in during their session. On the other hand, a 0 indicates that no match, meaning someone else logged in simultaneously. Zeros get the boot of death.*/
$result = mysql_query('SELECT COUNT(*) FROM user WHERE user_id='.$_SESSION['user_id']." AND session_id='".mysql_real_escape_string(md5(session_id()))."'");
$login_status = mysql_result($result,0,0);
//recall 1 is good, 0 is bad
if (0 == $login_status) {
//give them the boot
//this is copied from my logout script
$_SESSION = array(); //destroy the variables
session_destroy(); //destroy the session itself
setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie
echo 'Hey, someone else logged in using your account info which means you get the boot.';
exit();
}
}

[Kindred]

fix?


There is nothing broken.

I use my account from at least 8 different computers and I would *HATE* to be denied access to my account just because I was connecting to the internet from a library computer...  or from a computer with a dynamic DNS.


So, no, there is no code built for SMF to do what you are asking (although I do think that somone built a mod which limited the ADMIN access from a specific IP address, limiting the general user is just plain stupid)