Discouraging Login Sharing

I am wondering if CB Subs has features to discourage login sharing.

I know that complete prevention is impossible.

However, login status messages that show the user id's last 5 logins and the Ip addresses would send a message that it is being paid attention to.

Would also be nice to have reports and even email alerts for the administrator to detect when login id sharing might be occurring.

Is there anything like this in the product or anything like this planned?

Currently there's no security feature to prevent login sharing. We may implement something similar to other sites that track number of IPs and block based off a predefined count being reached. It's something to review for CB 2.0. I'm not guaranteeing it'll be implemented, but I'm not saying it definitely isn't either; it's a maybe. For now there has been a couple of workarounds implemented. For example using CB Auto Actions to store ip address to a field upon login then on subsequent login matching those IPs to see if they're different, etc..

It would be great to simply start with a login message that shows the user that this is being tracked. I have put in a request with the developer of Saxum IP logger to support a login message features that is CB compatible (they already have last 5 for admins and it includes location): saxum2003.hu/en/downloads/category/2-iplogger.html

Also, I don't think I would ever want auto-blocking - rather I would want a report to the admin about suspicious activity that is based on some basic analytics parameters.

For instance, broadly differing geographic locations in the same day. Over 10 logins in a single day (even if from the same IP). The same page being viewed over 50 times in a week.

Maybe a *configurable* auto-email warning them that their activity appears to be login sharing and they should contact the admin with an explanation.

Would like the reporting to also be threshold based - so I don't even have to review a report if there is nothing concerning.

Thresholds for auto-emails and admin report emails should be independent.

I am VERY interested in MAXIMUM discouragement with NO ACTUAL intervention (due to the administrative overhead).

If I reduce login sharing by 70% just by login messages and warning emails - I'm good for the day.

If I start auto-blocking accounts just due to a change in IP address, I make the system into a burden for myself and my customers by - a) Creating ticked customers who are disabled due to normal behaviors like accessing from home, work and then a business trip, b) manual re-enablements AFTER ticked customers contact me.

Also, I feel this should be a part of CBSubs, not core CB, so you are getting revenue for helping those of us who bought the component retain earned revenue. It is very justifiable to limit this feature to CBSubs from a business perspective.

Depending on what I charge for my memberships, this feature could be a huge money *generator* and it would definitely be a differentiating feature compared to other Joomla membership management systems.

Tagline: "CBSubs saves more money than it costs by discouraging Login Sharing."

I would just beg you that it focus on "communicating to the user that the system is monitoring for user id sharing" rather than an over-simplistic disablement that costs me much more admin work and costs me my "customer satisfaction" - I can't buy "Customer Sat" back easily.

It's something we're considering for core of CB for CB 2.0. We'll be reviewing out similar popular systems (Joomla extensions or otherwise) and seeing what works best. For now there is no such solution that I am aware of, but you could sort of rig something together with CB Auto Actions and a database table quite easily.

I believe there are also already Joomla-level plugins that allow something like that.

Hi Krileon,

krileon wrote: For example using CB Auto Actions to store ip address to a field upon login

How can I get the user's current IP address within auto actions?

I have set up an email auto action which sends me an email when a user has successfully logged in on my site.

I've read the substitution usage tutorial but still have no idea how I can get the IP address.

Can you give me a hint?

Is somewhere a complete list of substitution variables available?

Best regards

Richard67