How To Let ONLY Paying Customers View Special Videos?

[Yourvirtualworld]

Thanks DrByte! I'm especially fond of your second idea, especially if the popup message won't stay away until all other viewing occurences cease. The underlying message to all viewers is that something wrong is going on and others, including the provider, are immediately aware of it. That's powerful group psychology at play.

How complex of a coding job is that?

(More than 500 videos here)

[Yourvirtualworld]

Perhaps the simplest solution is to get at the root of the problem by programming the necessary code that will prevent more than one user at a time from logging into their account. How hard is that?

[Yourvirtualworld]

Perhaps the simplest solution is to get at the root of the problem by programming the necessary code that will prevent more than one user at a time from logging into their account. How hard is that?

[DrByte]

The way Netflix does it is by controlling the entire playback experience with their own playback viewer tool. On the PC I believe it's flash-based, but there might be other technologies that could work.

As far as limiting logins, my earlier post gave the outline of the coding requirements.

[Yourvirtualworld]

Netflix and my company is like David and Goliath. God knows how much underlying code they've established to make their service viable and maintain security. My site uses a flash based player to offer up progressive streaming but has no capability/features to control viewing.
I have passed on your outlined coding logic to vendors/programmers at http://www.guru.com . Thanks so much for your contributed experience and expertise DrByte. Perhaps there is an adventurous soul in our Forum that can contribute it back to the entire community and gain his/her "15 minutes of fame". Such a mod would most likely open up new ecommerce possibilities for Zen Cart knowing that shop owners can safely and cost effectively offer up multimedia content in real time and put us on more equal footing with the Netflix giants of the online world.

[Yourvirtualworld]

I've posed this question before on ZC forums and didn't really receive a fully developed solution, just pointers. I contacted custom programmers who tried to get WAY more $ than the solution appeared to merit. I've scoured the Internet to solve the following problem:
I want to prevent dual, multiple, simultaneous logins leading to membership fraud because I want to run a subscription based website showing pay per view educational videos. The proposed login/access scheme will grant access for paid customers who pass the mySQL username/password validation. One user can login but Zen Cart must prevent others who try to use the same login credentials from a different machine. Since I'm far from a code jockey I'm not in a good position to challenge, endorse, or implement any of these four suggestions below so I'm soliciting the expertise of my ZC gurus to lead the way for me and others who face the same challenge so we can keep it within the family. A great answer requires a pretty in depth understanding of how Zen Cart works under the hood. Please comment/critique these ideas and indicate which is best and give the nuts and bolts on implementation is Zen Cart 1.39h.

SUGGESTION #1

Paste the below code into my header file, which is an include on every page of my site.

#Prevent Membership Fraud
//check if someone is logged in
if (isset($_SESSION['user_id'])) {
//connect to your db
require('../../../connect.php');
/*build query using hirer_id and current_session_id, get count. If query comes back with a 1, it means there is a match. A match is good because it means no one else logged in during their session. On the other hand, a 0 indicates that no match, meaning someone else logged in simultaneously. Zeros get the boot of death.*/
$result = mysql_query('SELECT COUNT(*) FROM user WHERE user_id='.$_SESSION['user_id']." AND session_id='".mysql_real_escape_string(md5(session_id()))."'");
$login_status = mysql_result($result,0,0);
//recall 1 is good, 0 is bad
if (0 == $login_status) {
//give them the boot
//this is copied from my logout script
$_SESSION = array(); //destroy the variables
session_destroy(); //destroy the session itself
setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie
echo 'Hey, someone else logged in using your account info which means you get the boot.';
exit();
}
}


SUGGESTION #2

function authenticateUser($id, $hash, $databaseLink) {
# SQL
$sql = 'SELECT EXISTS(
SELECT 1
FROM `tbl_users`
WHERE `id` = \''.mysql_real_escape_string($id).'\'
AND `has`h = \''.mysql_real_escape_string($hash).'\'
LIMIT 1
);';

# Run Query
if ($query = mysql_query($sql, $databaseLink)) {
# Get the first row of the results
# Assuming 'id' is your primary key, there
# should only ever be one row anyway.
$result = mysql_fetch_row($query);

# Casting to boolean isn't strictly necessary here
# its included to indicate the mysql result should
# only ever been 1 or 0.
return (bool)($result[0]);
} else {
# Query error
return false;
}
}


SUGGESTION #3

...//form submission
if(isset($_POST['login']))
{
//kill existing session
session_destroy();
//start login process
$user_name = $_POST['user_name'];
$password = md5($_POST['password']);
$login = "SELECT * FROM users WHERE user_name = '$user_name' AND password = '$password'";
$login_query =mysql_query($login);
if (!$login_query)
echo mysql_error();
//check for actual user
...
...
//if user is real (real password, id, etc)
while ($results = mysq_fetch_array($login_query, MYSQL_ASSOC))
{
$userID = $results['userID'];
...
...
}//end results loop
$_SESSION['userID'] = $userID;
}//end of if-login check

SUGGESTION #4

Use the IP to block users from multiple machines,
$_SERVER['REMOTE_ADDR']

[gilby]

I've posed this question before on ZC forums and didn't really receive a fully developed solution, just pointers. I contacted custom programmers who tried to get WAY more $ than the solution appeared to merit. I've scoured the Internet to solve the following problem:
I want to prevent dual, multiple, simultaneous logins leading to membership fraud because I want to run a subscription based website showing pay per view educational videos. The proposed login/access scheme will grant access for paid customers who pass the mySQL username/password validation. One user can login but Zen Cart must prevent others who try to use the same login credentials from a different machine. Since I'm far from a code jockey I'm not in a good position to challenge, endorse, or implement any of these four suggestions below so I'm soliciting the expertise of my ZC gurus to lead the way for me and others who face the same challenge so we can keep it within the family. A great answer requires a pretty in depth understanding of how Zen Cart works under the hood. Please comment/critique these ideas and indicate which is best and give the nuts and bolts on implementation is Zen Cart 1.39h.

The only way I can see this working is to use a hardware key.
This will restrict access to one key at a time.

Is this such a significant issue for you that you need to "fix" it?

Have your customers been hacked?

Are your customers acting fraudulently by "sharing" the login details with others?
Then maybe you need to reset their account access when 2 logins occur at the same time.

[DrByte]

In addition to the other suggestions offered previously, you might consider adding two-factor authentication. That way if someone wants to share their login with someone else, they'll have to at least give that other person their cellphone in order to respond with the correct PIN code. Or similar concept.

Or, as suggested earlier, build your live-streaming tool to detect whether a certain user is already accessing content from your streaming server, and stop the streaming if that is detected. But, Zen Cart isn't your live-streaming tool, so this really isn't a Zen Cart issue.