Loading...
 

Browser based limits on logins

Browser based limits on logins


New feature idea. I'd be specially interested in opinions about using Trackers for storage.

Objective

This is about restricting access for people who would buy access to some paying restricted site and then share their login credentials with the rest of the world.

  • When a registered user connects to website.tld, we set a cookie in his browser, and we register his browser as "authorised browser for 30 days"
  • Every time he comes back to website.tld we read his cookie to check if he is an "authorised browser".
    • If he is already authorised we let him log in, and update the "authorised browser" expiration date to 30 days further
    • if he is not we check how many "authorised browsers" do we have listed from him.
      • If we have less than 3 authorised browsers: we register his new browser and let him log in.
      • If he already has 3 authorised machines: deny the login.

  • In case a browser is not used in 30 days we drop it from the list of authorised browsers.
  • I will also need a "control panel" so I can manually remove authorised machines from the list (I guess I will have to make some exceptions as users buy new computers, delete cookies, travel...), or change the number of authorised browsers to 4, 5, 2…


Data storage

I'm considering the storage of the cookies references could be in a tracker

  • Plus: added flexibility and avoiding having yet another database table. A minimal "control panel" would be sufficient because anyone can create their own fancy management wiki page using LIST or LISTEXECUTE plugin.
  • Minus: it might slow down login, which decreases user experience; it will break login when the index is not synchronized; we can't use the tiki methods because permissions to these records will be limited to admins
    + Mitigation strategies: skip the tiki methods and get the info using direct SQL queries during login process. Do we have ways of registering asynchronous deletion of tracker items and asynchronous updating of fields and flagging tracker items for being reindexed?

Clean up

How do we delete obsolete "authorised browsers" records? Keeping them forever makes no sense and will eventually slow things down.

  • Doing it during the login process
    • Plus: Simple
    • Minus: Might slow down login, which decreases user experience.
  • Setting up a scheduled process
    • Plus: If it works, there is no negative impact
    • Minus: This requires to set up the scheduler and is too cumbersome and people will just forget to do it, or do it wrong and never notice.
  • A "delete all expired records" button in the "control panel".
    • Plus: Simple. Total control for the admin, in case they prefer to keep records for analysing suspicious activity
    • Minus: They might forget to do it after a while

Technical solution so far


Following the discussion in the dev mailing list, we can split this in two parts. The first one is a general-purpose new table which can be used for other features

Login history table

A new general purpose new table for login history with all required fields for all future use cases with the following fields (not necessarily already used), and use that for my use case which would be nicely separated:

  • userId
  • browser name
  • operating system (usually part of browser name)
  • last login time
  • last logout time (for later use)
  • geo-location (for later use)

I would not enable it per default and especially not on our community sites because they would actually collect personal data which users have *not* volunteered. So if we want this, we should first think about our "Terms & Conditions", as mentioned in this other thread on the topic of the new eu regulations. I'd also like that it's not an on/off thing, people should decide if they want to collect IP history, OS type, geolocalisation and not collect what they don't want to have in storage about their users.

Also, this sql table would have all the data which need quick access and updating during the login phase and which we would rather not have show up in searches, which is perfect.
I could just use some tracker for the use case specific data such as keeping track of each user's maximum browser limit.

Browser based limits


Additional requirement: It's only for some groups, not all.
This looks more and more like the user tracker features.

Page last modified on Wednesday 28 March, 2018 14:37:31 GMT-0000

Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting 7.x
Administration
Ajax 2.x
Articles & Submissions
Backlinks
Banner
Batch 6.x
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution 2.x
Cookie
Copyright
Credits 6.x
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
DogFood
Draw 7.x
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Group
Help
History
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping 3.x
Mobile Tiki and Voice Tiki
Mods
Modules
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Organic Groups (Self-managed Teams)
Packages
Payment 5.x
PDF
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Realname
Report
Revision Approval
Scheduler
Score
Search engine optimization (SEO)
Search
Security
Semantic links 3.x
Share
Shopping Cart 5.x
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tablesorter
Tags 2.x
Task
Tell a Friend, alert + Social Bookmarking
Terms and Conditions
Theme
TikiTests 2.x
Timesheet
Token Access
Toolbar (Quicktags)
Tours
Trackers
TRIM
User Administration
User Files
User Menu
Watch
WebHelp
Webmail and Groupmail
WebServices 3.x
Wiki 3D
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives 4.x
WYSIWTSN 4.x
WYSIWYCA
WYSIWYG 2.x
XMLRPC
XMPP




Useful Tools