You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ryan A <r...@jumac.com> on 2003/01/11 22:45:16 UTC
[users@httpd] OT-Getting info and DAP etc clients
Hi,
I am trying to make a small software piece in perl/PHP for apache which will record users when they enter the members area to catch password sharing...
I have already been able to record their ip address but i would like to know what else can i get?
eg:
computer name?
second question is, when DAP or other download clients download from a website, do they give out the IP from where they are coming from? am confused on that and couldnt find the answer on google....
Any help appreciated.
Cheers,
-Ryan A.
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by George Valpak <gv...@yahoo.com>.
At 06:51 PM 1/11/2003 -0500, Chris Meadors wrote:
>George Valpak wrote:
>>What if you only allowed x (maybe x=1) simultaneous logins? This
>>could be managed at authorization time.
>
>It may appear that you only have to log in at the start of a session, but actually the browser remembers that you had to send authorization information and continues to send it for each future page requested.
Of course that is correct - the browser resend's the authorization info each time. What I was hoping to convey, but vague about, was that you can capture session-like info much earlier in the process under the right conditions, and use that to decide if a password is still logged in (= not currently available from a different or "different enough" IP address unless the original account explicitly logs out or times out later, or something like that)
GV
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] George Valpack-->Re: [users@httpd]
OT-Getting info and DAP etc clients
Posted by George Valpak <gv...@yahoo.com>.
At 01:15 AM 1/12/2003 +0100, you wrote:
>Hi,
>I am more of a PHP and java programmer, is learning PERL hard? or can you
>give me a good resource on the web to learn perl and using the mod_perl
>module?
Perl's motto is "there is more than way to do it" so there isn't a good answer to "is it hard" :)
I suggest starting at www.perl.org for general perl stuff, and www.apache.org for apache stuff - there is extensive mod_perl help there.
I think you really are looking at apache issues so look up about the authentication/authorization phases of the apache cycle.
I don't know the configuration of your server - mod_perl may or may not be installed. It gets installed at apache build time, at least by me. apache.org can tell you if there is a way to do otherwise, but I am not sure about if it is or not.
I also would suspect you can get similar abilities from mod_php which may or may not be installed. I don't know the definitive source for info on that, but I do know there is a brand new php cookbook from O'Reilley which might address using mod_php to access apache internals as mod_perl does.
Googling "php apache authentication" might turn up some useful stuff. I don't think what I described earlier strictly needs to be implemented in perl, just that is the world I come from. You could probably do it in Java too - substitute java for php in that google suggestion.
GV
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] George Valpack-->Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by Ryan A <r...@jumac.com>.
Hi,
I am more of a PHP and java programmer, is learning PERL hard? or can you
give me a good resource on the web to learn perl and using the mod_perl
module?
Cheers,
-Ryan A.
----- Original Message -----
From: "George Valpak" <gv...@yahoo.com>
To: <us...@httpd.apache.org>
Sent: Sunday, January 12, 2003 12:50 AM
Subject: Re: [users@httpd] OT-Getting info and DAP etc clients
> At 06:51 PM 1/11/2003 -0500, you wrote:
> >George Valpak wrote:
> >>What if you only allowed x (maybe x=1) simultaneous logins? This
> >>could be managed at authorization time.
> >
> >HTTP is stateless, you can't track how many times a person is "logged in"
or when they log out.
> >
> >It may appear that you only have to log in at the start of a session, but
actually the browser remembers that you had to send authorization
information and continues to send it for each future page requested.
>
> I admit I picked up the thread in the middle, but isn't he talking about
preventing password sharing? If so, then he must know if a particular
account is in use ("logged in" at any given time).
>
> Oh wait, you have to use something other than Basic Authentication for
that, which could mean writing a handler to handle the
authentication/authorization. Since I do all my work under mod_perl, I do
that all the time and sort of forgot it is not available by default.
>
> So let me rephrase my original answer:
>
> If you are able to create an authentication/authorization handler, then
you can use something other than Basic authentication to track whether or
not someone is logged in. You could then prevent or at least manage,
simultaneous logins as needed. This could, depending on your reasons for
wanting to prevent pw sharing, help a lot.
>
> Sessions can help, but authorization happens at an earlier stage in
Apache's processing cycle and so you could catch folks before a session is
even created for them.
>
> GV
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by George Valpak <gv...@yahoo.com>.
At 06:51 PM 1/11/2003 -0500, you wrote:
>George Valpak wrote:
>>What if you only allowed x (maybe x=1) simultaneous logins? This
>>could be managed at authorization time.
>
>HTTP is stateless, you can't track how many times a person is "logged in" or when they log out.
>
>It may appear that you only have to log in at the start of a session, but actually the browser remembers that you had to send authorization information and continues to send it for each future page requested.
I admit I picked up the thread in the middle, but isn't he talking about preventing password sharing? If so, then he must know if a particular account is in use ("logged in" at any given time).
Oh wait, you have to use something other than Basic Authentication for that, which could mean writing a handler to handle the authentication/authorization. Since I do all my work under mod_perl, I do that all the time and sort of forgot it is not available by default.
So let me rephrase my original answer:
If you are able to create an authentication/authorization handler, then you can use something other than Basic authentication to track whether or not someone is logged in. You could then prevent or at least manage, simultaneous logins as needed. This could, depending on your reasons for wanting to prevent pw sharing, help a lot.
Sessions can help, but authorization happens at an earlier stage in Apache's processing cycle and so you could catch folks before a session is even created for them.
GV
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by Chris Meadors <cl...@hereintown.net>.
George Valpak wrote:
> What if you only allowed x (maybe x=1) simultaneous logins? This
> could be managed at authorization time.
HTTP is stateless, you can't track how many times a person is "logged
in" or when they log out.
It may appear that you only have to log in at the start of a session,
but actually the browser remembers that you had to send authorization
information and continues to send it for each future page requested.
--
Chris
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by George Valpak <gv...@yahoo.com>.
What if you only allowed x (maybe x=1) simultaneous logins? This could be managed at authorization time.
GV
At 12:09 AM 1/12/2003 +0100, you wrote:
>Hey!
>Thank you for replying.
>other than sessions, what else? I am already using sessions, my idea is to
>use a multiple of info from the clients computer...right now its upto
>ip,cookies,sessions...anything else you can think of?
>Cheers,
>-Ryan A.
>
>
>> Ryan,
>> you can't rely on ip numbers with a lot of isp's using dynamic ips.
>> every time a user connects they have a different ip.
>> there are a number of portal sites written in php that work at keeping
>> password sharing down. the most effective method for them is sessions.
>> ( though none seem to use sessions completely. )
>> a better way to go, if you are talking archives, is locking the archive
>> and emailing password to unlock it when they download it.
>>
>> the ip is always included in the headers, but not always the users ip,
>> it can be from a router or proxy server instead.
>>
>> Ryan A wrote:
>> > Hi,
>> > I am trying to make a small software piece in perl/PHP for apache which
>> > will record users when they enter the members area to catch password
>> > sharing...
>> > I have already been able to record their ip address but i would like to
>> > know what else can i get?
>> > eg:
>> > computer name?
>> >
>> > second question is, when DAP or other download clients download from a
>> > website, do they give out the IP from where they are coming from? am
>> > confused on that and couldnt find the answer on google....
>> >
>> > Any help appreciated.
>> > Cheers,
>> > -Ryan A.
>> >
>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by Ryan A <r...@jumac.com>.
Hi All,
Thanks guys, but basically it all comes down to,
if i was "big brother" how much can i know about a single client/login?
If i know that i can use something like
if (userip=blah) and (cookie=true) and (session=true) and
(computername=blah?) and etc etc etc
that would make it mighty hard for someone to forge wouldnt it? the more
fields i define the harder to forge...
All replies appreciated....
Cheers,
-Ryan.
----- Original Message -----
From: "J. Greenlees" <ja...@shaw.ca>
To: <us...@httpd.apache.org>
Sent: Saturday, January 11, 2003 10:56 PM
Subject: Re: [users@httpd] OT-Getting info and DAP etc clients
> Ryan,
> you can't rely on ip numbers with a lot of isp's using dynamic ips.
> every time a user connects they have a different ip.
> there are a number of portal sites written in php that work at keeping
> password sharing down. the most effective method for them is sessions.
> ( though none seem to use sessions completely. )
> a better way to go, if you are talking archives, is locking the archive
> and emailing password to unlock it when they download it.
>
> the ip is always included in the headers, but not always the users ip,
> it can be from a router or proxy server instead.
>
> Ryan A wrote:
> > Hi,
> > I am trying to make a small software piece in perl/PHP for apache which
> > will record users when they enter the members area to catch password
> > sharing...
> > I have already been able to record their ip address but i would like to
> > know what else can i get?
> > eg:
> > computer name?
> >
> > second question is, when DAP or other download clients download from a
> > website, do they give out the IP from where they are coming from? am
> > confused on that and couldnt find the answer on google....
> >
> > Any help appreciated.
> > Cheers,
> > -Ryan A.
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by Ryan A <r...@jumac.com>.
Hey!
Thank you for replying.
other than sessions, what else? I am already using sessions, my idea is to
use a multiple of info from the clients computer...right now its upto
ip,cookies,sessions...anything else you can think of?
Cheers,
-Ryan A.
> Ryan,
> you can't rely on ip numbers with a lot of isp's using dynamic ips.
> every time a user connects they have a different ip.
> there are a number of portal sites written in php that work at keeping
> password sharing down. the most effective method for them is sessions.
> ( though none seem to use sessions completely. )
> a better way to go, if you are talking archives, is locking the archive
> and emailing password to unlock it when they download it.
>
> the ip is always included in the headers, but not always the users ip,
> it can be from a router or proxy server instead.
>
> Ryan A wrote:
> > Hi,
> > I am trying to make a small software piece in perl/PHP for apache which
> > will record users when they enter the members area to catch password
> > sharing...
> > I have already been able to record their ip address but i would like to
> > know what else can i get?
> > eg:
> > computer name?
> >
> > second question is, when DAP or other download clients download from a
> > website, do they give out the IP from where they are coming from? am
> > confused on that and couldnt find the answer on google....
> >
> > Any help appreciated.
> > Cheers,
> > -Ryan A.
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OT-Getting info and DAP etc clients
Posted by "J. Greenlees" <ja...@shaw.ca>.
Ryan,
you can't rely on ip numbers with a lot of isp's using dynamic ips.
every time a user connects they have a different ip.
there are a number of portal sites written in php that work at keeping
password sharing down. the most effective method for them is sessions.
( though none seem to use sessions completely. )
a better way to go, if you are talking archives, is locking the archive
and emailing password to unlock it when they download it.
the ip is always included in the headers, but not always the users ip,
it can be from a router or proxy server instead.
Ryan A wrote:
> Hi,
> I am trying to make a small software piece in perl/PHP for apache which
> will record users when they enter the members area to catch password
> sharing...
> I have already been able to record their ip address but i would like to
> know what else can i get?
> eg:
> computer name?
>
> second question is, when DAP or other download clients download from a
> website, do they give out the IP from where they are coming from? am
> confused on that and couldnt find the answer on google....
>
> Any help appreciated.
> Cheers,
> -Ryan A.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org