| Author |
 Topic  |
|
|
Fuzion
Junior Member
162 Posts |
 Posted - 18 July 2002 : 18:50:57
|
Ok last time i checked the Ban By Cookie mod wasnt working, i re-checked it a few days ago to find out that someone actually added some code that really made it work. Now that ive got it working and stuff, theres one thing that poses a threat and risk. First off unless you have email validation turned on (or installed in some cases) you pretty much have a problem. See lets say someone creates an account on your forum, lets call this account BOB.. and later on lets say three months later creates another account, lets call this account GINGER, they create this account for some unknown reason, maybe they just felt the need to create another account. Now this person BOB is starting to become a pest on your forum (ie. threatening members, making rude posts, etc..) and you ban this account (BOB) using the ban by cookie mod.
Heres a little backdoor that you guys might not know about. Although this person now cannot login under his username BOB, he can still login and regain access to the forum using the GINGER account that he created a few months earlier. The banned cookie is still there written to his computer which doesnt allow him access to policy.asp or register.asp, but he still has access to the forums and members area with the account GINGER, he just cant access those two pages lol. Now you can either use the email validation system to stop them from creating two accounts but youll still have the problem of them having more than one email address and being able to sign up for multiple accounts even though you have the email validation system active.
My Solution to this problem: Dont just ban them ie. Policy.asp and Register.asp but ban them from every part of the website. You could probably slip the code into inc_top.asp and if the cookie is read a U HAVE BEEN BANNED message comes up on EVERY PAGE. This way even if they have a second account, they wont be able to login to it because they wont be able to get access to the login box where you need to supply your username and pass :)
Just giving my two cents worth.
Edited by - Fuzion on 18 July 2002 18:56:15
Edited by - Fuzion on 18 July 2002 18:57:38 |
|
|
Fuzion
Junior Member
162 Posts |
Posted - 18 July 2002 : 22:48:08
|
Is anyone interested in re-designing this mod a little.. the code is as follows:
This code is whats placed as a sub in INC_TOP.ASP
'########## Ban User by Cookie Mod
Sub banUser()
if Request.Form("Method_Type") = "login" AND strLoginStatus = 0 then
'## Forum SQL - Get user status
strSql = "SELECT " & strMemberTablePrefix & "MEMBERS.M_STATUS "
strSql = strSql & "FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & "WHERE " & strMemberTablePrefix & "MEMBERS.MEMBER_ID = " & getMemberNumber(strDBNTFUserName) & " "
strSql = strSql & "AND " & strMemberTablePrefix & "MEMBERS.M_PASSWORD = '" & ChkString(Request.Form("Password"), "SQLString") & "'"
set rsSTATUS = my_Conn.Execute(strSql)
if rsSTATUS.EOF OR rsSTATUS.BOF then
'DO Nothing
elseif rsSTATUS("M_STATUS") = "0" then
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "Status").Path = strCookieURL
else
Response.Cookies(strUniqueID & "Status").Path = "/"
end if
Response.Cookies(strUniqueID & "Status")("banUser") = "1"
Response.Cookies(strUniqueID & "Status").Expires = dateAdd("d", 3650, strForumTimeAdjust)
errMsg = "Your account has been de-activated!"
end if
rsSTATUS.close
set rsSTATUS = nothing
end if
Dim strScriptName, aryScriptName
aryScriptName = Split(Request.ServerVariables("SCRIPT_NAME"), "/")
strScriptName = aryScriptName(UBound(aryScriptName))
if (strScriptName = "policy.asp" OR strScriptName = "register.asp") AND Request.Cookies(strUniqueID & "Status")("banUser") = "1" then
Response.Redirect "ur_banned.asp"
end if
end Sub
'########## END Ban User by Cookie Mod
USE THE FOLLOWING CODE TO CALL THE SUB FUNCTION IN INC_TOP.ASP:
'########## Ban User by Cookie Mod
Call banUser()
'####################################
PLACE THE FOLLOWING CODE AT THE VERY TOP OF REGISTER.ASP:
'<!-- *** KC Ban User with Cookie Mod v1.0 *** part 1-1 in register.asp -->
if not Request.Cookies("StopMe") = "" then
Response.Redirect "http://(your own nastygram web page)"
end if
'<!-- *** END KC 1-1 *** -->
%>
This is the current Ban By Cookie Mod. If anyone could design it according to my specifications at the very top of this page. It would be quite excellent :P
NeilQuest Hosting Service:
http://www.NeilQuest.com
Site Designs For Sale:
http://www.NeilQuest.com/designstore.asp
Just giving my two cents worth. |
 |
|
| |
Topic |
|
|
|
Topic Locked
