I currently have a subscription-only site running to which access is managed via multiple NT basic authentication usernames/passwords. I would like to be able to capture/track which usernames/passwords have been used to access the system so that I can cross-check which users are accessing which areas (and also to cross-check againt the visitors IP so that I can tell where usernames/password combinations have been passed on to users who have not subscribed to the site). Is this possible, and if so how is this done?

Many thanks
JLW

When they log in, use the same page to set a cookie or session variable. Then, on each page, you can write to a database the name in the session variable or cookie. You can even make it an include file, and just include into the top of each page.

You mentioned that you'd check people's IP addresses to see if it has been passed on. Just out of curiosity, are you going to like keep a log of it or something? Because people's IP address will change, especially if they are using a dial-up internet connection. DSL and cable doesn't change as often but it can if the person has to reset their modem.

Just a thought.

My cable company changes my ip almost daily. It may vary hour by hour.

Not to mention, what's wrong with someone accessing your site from two different computers, as long as they have subscribed?

The user may have more than one computer in a single location; i.e. there are 4 in my house and soon to be 5, and 3 in my brother's... 3 of the 4 in my house currently have different ip addresses, and as Big Daddy said, they are also reassigned frequently (and I'm on cable too).

What you could do is look for many machines using the same username/password logged in at the same time.

Also, I believe you can get the NT login using the Request.ServerVariables() collection, try the "sticky" post at the top of this forum, I've seen a few variables in there that look promising, although I haven't used them yet. :)

I used to work at a news and information company a few years ago. Their internet site had a couple of different types of accounts. One of which was a sort of limited account that only allowed you to log in to it from one computer. It would set a cookie on your computer. The idea was that they didn't want you to buy one subscription, and have 10 people in one company logging in.

Originally posted by whammy

Also, I believe you can get the NT login using the Request.ServerVariables() collection, try the "sticky" post at the top of this forum, I've seen a few variables in there that look promising, although I haven't used them yet. :)


Usually the AUTH_USER and REMOTE_USER server variables are blank when accessing it from the internet. For security reasons. I think it is available when you browse an Intranet site but not sure.

Thanks for the comments/suggestions...just to clarify things about the IP address checking - all the subscribers are from universities and within the higher education sector each institution operates over a discreet range of IP addresses, so it is relatively easy to spot when someone is accessing the site from an institution which does not have a valid subscription (users almost always access the site from their office PC/LAN, rather than via any dialup connection).

Cheers
JLW