Type in your suggestion - new feature or improvement idea

Preventing multiple logins by the same member

Is there any way to prevent multiple login?

13 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    gtg2020gtg2020 shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    23 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Thomas BerryThomas Berry commented  ·   ·  Flag as inappropriate

        This has been a big problem. Record so far is the same member having four different accounts - what was originally exported from QuickBooks, two accounts from different renewals, and registered forum user.

      • Sunil GuptaSunil Gupta commented  ·   ·  Flag as inappropriate

        Hi,

        I too am interested in having this feature added in future release of WA. Even a simple solution would be great.

        Thanks,

        Sunil

      • aforetasteaforetaste commented  ·   ·  Flag as inappropriate

        I too find this very important.

        Actually a deal-breaker if we can't get this to work.

        The ideal solution for us is that a single user can not log in twice at the same time. That, I believe, would solve our issues with this.

        Thanks

      • Evgeny aka Apricot KernelAdminEvgeny aka Apricot Kernel (Product Manager, Wild Apricot) commented  ·   ·  Flag as inappropriate

        I think we should consider the solution of the problem NOT from the point of immediate restrictions, but rather from reporting option for site admin.

        Let me clarify.

        * Each time member/admin logs in into the system, system records date/time, ID, IP address and browser information
        * The log with this full logins history on per member basis and only for full site admins
        * System also may summarize all logins and provide a likely number of different places where actual login may be performed (based on IP address, browser data, cookie, etc.)
        * The summary is made per time period - like last month, last 3 months, last year, in total
        * The summary also shows (based on IP) a likely location of log in
        * Admin has a special report where he can look on all members from logins summary perspective and decided what her should do about suspicious members
        * Admin has also an option somewhere in system setting if he wants the system to notify him as soon a member has new location within specific time period What do you think? This solution does not force all members to be blocked from login but rather gives admin a way to be notified or overview all suspicious members and contact them directly if required. Any comments are welcome.

      • sabojosabojo commented  ·   ·  Flag as inappropriate

        I understand the concern if members are sharing accounts to avoid paying.

        That concern does not impact us at all. It's just not an issue. This would be a major inconvienience for reasons previously sited. Also, I currently log in as a regular member and admin on the same machine so I can test my changes and see exactly what regular members will see. If I had access to a different machine (e.g. a Mac) I would login and test there as well.

        If you do impliment this feature:

        1. please make it optional

        2. With IP tracking an issue, consider just kicking off current users when a new login under the same name occurs. Again, please make it optional

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        I can see I'm on a loser here. Others regarded it as a problem but have dropped out. If this cannot be addressed it is a major problem for anyone considering selling information via WA.

        There seems little point in asking non-technical people what they want and then telling them why they cannot have it. How about saying the type of thing that is possible and going from there.

        If the access is reported in a meaningful way at least you have some idea of what is going on. If you have say 50 accounts where access is consistently from one place and 2 that are consistently viewing the same material from numerous different sources you may have a problem and can then decide what to do about it. As it is I am completely in the dark.

        In my case the material to be viewed is a course in graded steps 1 to 9. Each unique visitor has accessed all steps (Information via Google). The valid user would not do this.

        One seller I browsed recently provided full access reporting and claimed a bot searches log files for signs of misuse. I am not suggesting WA does this, simply reporting what I have seen.

      • Dmitry ButerinDmitry Buterin commented  ·   ·  Flag as inappropriate

        Actually identfying misuse is much harder. Google might be showing several unique visitors for many different reasons, e.g.:

        - same person logged in from home/office

        - same person using different browsers

        - same person using some kind of cookie-blocking

        - or different people using the same login.

        We can not reliably distinguish these cases - neither can Google or anybody else.

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        This should not be regarded as a wish list request for an upgrade. This is a serious deficiency in the system whether or not loads of people are asking for it to be changed.

        If you are using WA to sell information, which works well, then it is important to know who is accessing the information. It is no use simply being told that a user has logged in 30 times and yet not know that they did it from 5 different IP addresses.

        You say...

        [quote user="Chief_Apricot"]

        I guess you are talking about tracking and limiting access by IP address. This is not really feasible due to NAT routers, dynamic IPs etc.

        What I think should be doable is restricting access so that only one person can be logged in under the same member ID at any one time. What do you think of this?

        [/quote]

        Restricting to one person logged in at a time is not really useful. It does not overcome the problem.

        Reporting user details in such a way as to identify misuse would at least enable me to use the suspend function if I wanted to. Is there any way for you to report with some certainty how many different people are using the account. It would seem Google are able to detect "unique visitors".

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        I would like to draw attention to this issue. My intention was to post in this section because it is a current issue. I replied to a post after doing a search and it was posted in the wish list section

        I think it is time to address this issue again.

        I now have a membership site thanks to WA. I'm pretty pleased with it and how it runs.

        I've sold my first membership...the problem for me is that, as far as I can tell and after only a couple of days, 4 people are using it !

        My WA system gives me no clue that this is happening and no way to prevent it.

        I only know because I only have only one membership and I have Google Analytics installed.

        GA tells me about the unique visitors to my pages.. First there was one, then there were 3, now there are 4.

        I can understand the people who say they want any number of logins open. It appears to be for admin purposes...so that can be made a special case or have security on or off

        I am not a technical person so I do not know what is possible, BUT the very least that should be done is to inform admin how many different addresses are logging in with the same ID.

        I can see many valuable uses for WA. If this issue is not addressed "Members Only" pages is not one of them.Please do something about it.

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        I think it is time to address this issue again.

        I now have a membership site thanks to WA. I'm pretty pleased with it and how it runs.

        I've sold my first membership...the problem for me is that, as far as I can tell and after only a couple of days, 4 people are using it !

        My WA system gives me no clue that this is happening and no way to prevent it.

        I only know because I only have only one membership and I have Google Analytics installed.

        GA tells me about the unique visitors to my pages.. First there was one, then there were 3, now there are 4.

        I can understand the people who say they want any number of logins open. It appears to be for admin purposes...so that can be made a special case or have security on or off

        I am not a technical person so I do not know what is possible, BUT the very least that should be done is to inform admin how many different addresses are logging in with the same ID.

        I can see many valuable uses for WA. If this issue is not addressed "Members Only" pages is not one of them.

        Please do something about it.

      • kbroderskbroders commented  ·   ·  Flag as inappropriate

        Like other posters, I often am logged into WA many times simultaneously. Once as an administrator with a web page edit in progress, once as an administrator so that I can view other pages for references (perhaps Page Mgmt), once as an administrator to perform ad hoc admin tasks for the club, and once as a member to view the website as a user. My productivity would go way down if I could only log in once.

        Secondly, cutting off someone's access abruptly for the sin of a supposed security breach would upset people very quickly. What if they simply forgot they were still logged on in another window??

        Do not take away the ability to log in simultaneously. Make it an option if you want to provide this security enhancement.

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        Fair enough, if by IP is too difficult then by ID sounds good to me.

        That is more or less how my post started out...before I started editing! I was thinking in terms of a variable which specified the maximum number of logins for an account. It would have an Admin editable default of 1 at creation of the account but could be raised on any given account if required.

      • Dmitry ButerinDmitry Buterin commented  ·   ·  Flag as inappropriate

        I guess you are talking about tracking and limiting access by IP address. This is not really feasible due to NAT routers, dynamic IPs etc.

        What I think should be doable is restricting access so that only one person can be logged in under the same member ID at any one time. What do you think of this?

      • rugbysidrugbysid commented  ·   ·  Flag as inappropriate

        I intend using WA to provide information for a fee via membership and restricted access.

        I really like what WA offers. More security would be very useful. The current situation is a real weakness. Multiple paid membership levels and the ability to restrict access is great - but then allow any number of people to login on one membership! It could potentially cost the provider a fortune and you would not even know it is happening.

        How about having field "Number of login addresses" for each account.

        It defaults to whatever you want to set it to (I would set it to one) but can be increased for your own purposes as expressed above or on request from valid users.

        Each account could have fields for the top 5(?) addresses most used so you can see how an account is being used.

      • bam-bambam-bam commented  ·   ·  Flag as inappropriate

        I understand your point I would tend to agree with you. Two ooptions build it in so that for admin people you could choose to have enhanced security active or not on an indvidual basis. Another work around is to have two (or more) member profiles so one could see the changes on another computer.

      • gypsegypse commented  ·   ·  Flag as inappropriate

        Even as a user I access things from multiple pc's. For example, this WA forum may very well be open on my primary pc as I'm writing here on someone else's pc . . .

      • bam-bambam-bam commented  ·   ·  Flag as inappropriate

        I think that your are looking at it from your administrator view which I can totally undersstand, because I also Like to check what I have done, a way round this is too set up two login accounts one to check and one to make changes.(Me looking from a non tech person)

        Another way round this is that the function could be switched off for Admin Accounts. All I want to do is to protect my Intelectual Property.My outcome is too stop people signing up to my service and then giving their detail to friends so they don't have to pay for access to the site.

      • gypsegypse commented  ·   ·  Flag as inappropriate

        This post is basically the same as an earlier one - http://forums.wildapricot.com/forums/308932-wishlist/suggestions/8825656-preventing-multiple-logins-by-the-same-member

        and my same comments apply . . .

        I doubt I'm the only person that regularly uses multiple computers. The measures suggested above are too severe. If you want notification and then apply measures on a case-by-case basis, I can see that. But just shutting people off, well I know that would make me quite upset right there.

      • bam-bambam-bam commented  ·   ·  Flag as inappropriate

        I would like to suggest security upgrade, at the moment the Wild Apricot software allows a member of a Wild Apricot website to login in with multi computers at the same time. This may not seem such a bad problem until you come across someone that pays for a single membership to a site and then passes his login details to his friends. The website whether a profit or non-profit is then losing revenue as there is no need for family or friends to also sign up for their own membership. It even gets worse if the user name and password is posted on a blog or other website. I know I am looking at the worst case here but I believe that security is always about preparing for the worst and then hoping it does not happen. Is there any way for a site owner to know if this is happening? (I am new to Wild Apricot)

        My suggestion is that if someone logs in to his/her account and is already logged in on another computer then their account is suspended an email is then automatically generated and sent to the member (as well as the administrator) asking them to reset their password and inform them that there may have been a security breach or that they did not log out when they were on another computer. (Email generated could be edited by administrator and then decide who the email goes too) If this then continues too happen with a particular member then site administrators can decide what to do.

        It could also have different levels so the first time it happens the member is asked to re-set their password the second time the account is suspended for 24 hours and then asked to reset their password. The third time their membership is suspended until an administrator re-activates it.

        I am new to WA and would like to take the time to thank the WA Team for the help they have given me so far, so thank you for your help!!! You guys have a great system am loving what you can do with it, and the fact that you keep on developing the software.

      ← Previous 1

      Feedback and Knowledge Base

      Wild Apricot Inc. 144 Front Street West Suite 725, Toronto, Ontario, Canada M5J 2L7