How to stop shortcut logins?!?! - GoFuckYourself.com

cafeaulait · 02-15-2003, 05:27 AM

Is it possible to stop members logging in using the http://username:[email protected] format?

And force an authentication box onto them?

Cheers.

G

JayJay · 02-15-2003, 05:51 AM

/\ BUMP /\

also looking for an answer to this question

J B · 02-15-2003, 06:04 AM

Not sure but wouldn't a referrer check do the trick?

Maqua · 02-15-2003, 07:51 AM

You may find your answer here: http://groups.google.com/

gothweb · 02-15-2003, 07:52 AM

I asked someone about this, and got a suggestion for my htaccess files. Unfortunately, neither of us could make it work. I would really love a solution about this.

Calvinguy · 02-15-2003, 07:58 AM

Try to add the following to your htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*domain.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule /* http://www.domain.com/ [L,R]

Nevermind. Just tried it and it didn't work....

notjoe · 02-15-2003, 08:18 AM

Quote:

Originally posted by cafeaulait
Is it possible to stop members logging in using the http://username:[email protected] format?

And force an authentication box onto them?

Cheers.

G

Yes there is. Check the referring url upon login and if it isnt from y our pre-login page/domain you reject the login.

notjoe · 02-15-2003, 08:18 AM

Quote:

Originally posted by J B
Not sure but wouldn't a referrer check do the trick?

Yes it would!

rowan · 02-15-2003, 09:24 AM

I fiddled around with this myself, and from my experiments concluded that the user:pass@host format is local only - it's not actually passed through to the web server. The referer solution is probably your best bet, although it will cause problems with software that blocks it.

gothweb · 02-15-2003, 10:06 AM

Quote:

Originally posted by rowan
I fiddled around with this myself, and from my experiments concluded that the user:pass@host format is local only - it's not actually passed through to the web server. The referer solution is probably your best bet, although it will cause problems with software that blocks it.

I thought it might be local only, based on the kinds of failures we saw. That is a shame. Does anyone else mostly hate these because of public (free) trackers?

CDSmith · 02-15-2003, 10:53 AM

Quote:

Originally posted by gothweb
Does anyone else mostly hate these because of public (free) trackers?

The paysites I've worked for had that problem a few years ago, but when I switched them over to a password protected paycounter it was never a problem again. Not sure why else anyone would want to block the quick login..... it's pretty convenient for members, especially regular long timers.

chupacabra · 02-15-2003, 10:59 AM

switching to a 'script-based' authentication model instead of 'server-based (straight .htaccess -> .htpasswd), will solve this problem... people will be forced to go through a login gateway that relies on a script to call to .htpasswd, and i don't believe it can be crossed by user:pass@host login attempts... pw sentry uses a script-based auth model, i highly recommend it..

02-15-2003, 05:27 AM	#1
cafeaulait Confirmed User Industry Role: Join Date: Jun 2002 Posts: 587	How to stop shortcut logins?!?! Is it possible to stop members logging in using the http://username:[email protected] format? And force an authentication box onto them? Cheers. G

02-15-2003, 06:04 AM	#3
J B Confirmed User Join Date: May 2002 Location: StatsRemote.com Posts: 1,804	Not sure but wouldn't a referrer check do the trick? __________________ A HUGE TIME SAVER FOR LESS THAN $1 PER DAY! Contact: support A\|T statsremote D\|O\|T com

02-15-2003, 07:51 AM	#4
Maqua E.M.O Industry Role: Join Date: Feb 2001 Location: Possum Lodge Posts: 2,031	You may find your answer here: http://groups.google.com/ __________________ T.G.D *Two Guys Domains, In business since 1997, EMO Domains, your one stop domain shop, Twitter @maquaed*, Keep your stick on the ice!!

02-15-2003, 07:52 AM	#5
gothweb Confirmed User Join Date: Jun 2002 Location: Back in the USSA Posts: 8,849	I asked someone about this, and got a suggestion for my htaccess files. Unfortunately, neither of us could make it work. I would really love a solution about this. __________________ Photos by Ian X.: Distinctive photos of goth babes. Blood Money:Your traffic, my sites, our money. MojoHost: Still the best.

02-15-2003, 07:58 AM	#6
Calvinguy Confirmed User Join Date: Oct 2002 Location: European Union Posts: 1,752	Try to add the following to your htaccess file. RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)domain.com/ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule / http://www.domain.com/ [L,R] Nevermind. Just tried it and it didn't work.... Last edited by Calvinguy; 02-15-2003 at 08:02 AM..

02-15-2003, 05:51 AM	#2
JayJay Confirmed User Join Date: Jun 2002 Posts: 3,739	/\ BUMP /\ also looking for an answer to this question

02-15-2003, 09:24 AM	#9
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	I fiddled around with this myself, and from my experiments concluded that the user:pass@host format is local only - it's not actually passed through to the web server. The referer solution is probably your best bet, although it will cause problems with software that blocks it.

02-15-2003, 10:59 AM	#12
chupacabra Confirmed User Join Date: Sep 2002 Posts: 3,626	switching to a 'script-based' authentication model instead of 'server-based (straight .htaccess -> .htpasswd), will solve this problem... people will be forced to go through a login gateway that relies on a script to call to .htpasswd, and i don't believe it can be crossed by user:pass@host login attempts... pw sentry uses a script-based auth model, i highly recommend it..