Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

RevCMS save IP for every login

Junior Spellweaver
Joined
Feb 6, 2013
Messages
196
Reaction score
25
Hi,

I created a small "extra security" feature for RevCMS. I've had problems with scams on my hotel, people get into eachothers account because they are using the same passwords everywhere.

Anyhow, this extra security saves the date & IP for each login for every user. Using a seperate table and a simple mysql_query in class.users. Might be helpful for some of you. So you can compare IPs if someone were scammed. If someone is using VPN then sure this tool wont be as helpful, but you can atleast confirm if some scammer logged into someones account or not. (this is 99,9% accurate if you are using VPN block as I am)

Run this query.
Code:
CREATE TABLE `iplogins` (  `userid` int(11) NOT NULL,  `ip` varchar(211) NOT NULL,  `date` varchar(11) NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Then, add this code below $template->form->unsetData(); in class.users.php
PHP:
mysql_query("INSERT INTO iplogins (`userid`, `ip`, `date`) VALUES ('".$_SESSION['user']['id']."', '".$_SERVER["HTTP_CF_CONNECTING_IP"]."', '" . date('d/M/y', time()) . "')") or die ("Error in query: ".mysql_error());

This saves the date and IP for each login for a players account.
This could be improved in many ways, please come with suggestions if you'd like.
 
Last edited:
Experienced Elementalist
Joined
Aug 30, 2013
Messages
287
Reaction score
64
This can be quite useful for people that don't have this on their site. On my site, when a login fails the instead of just logging the date/time and IP, it also logs the user agent so the user can see what browser was used (you may find this pointless), if the failed login was attempted using email or username and then also shows the password used for the failed logn.
 
Legendary Battlemage
Joined
Aug 16, 2008
Messages
600
Reaction score
259
Awesome contribution

You asked for suggestions and mine would be to update the user's last online, rather than inserting data for when they were last online, I assume you have chat logs and timestamps for this kind of thing already?

PHP:
$this->database->query("UPDATE users SET timestamp = ?, login_count = login_count + 1 WHERE id = ?",[date("Y-m-d H:i:s"),$this->user()->id]);
 
Junior Spellweaver
Joined
Feb 6, 2013
Messages
196
Reaction score
25
Awesome contribution

You asked for suggestions and mine would be to update the user's last online, rather than inserting data for when they were last online, I assume you have chat logs and timestamps for this kind of thing already?

PHP:
$this->database->query("UPDATE users SET timestamp = ?, login_count = login_count + 1 WHERE id = ?",[date("Y-m-d H:i:s"),$this->user()->id]);

That's great, will update mine to that aswell.
 
Legendary Battlemage
Joined
Aug 16, 2008
Messages
600
Reaction score
259
That's great, will update mine to that aswell.

Here are some more contributions

PHP:
function getIP()
{
	/*
	This function attempts to get real IP address.
	*/
	if (getenv('HTTP_CLIENT_IP'))
	{
		$ip = getenv('HTTP_CLIENT_IP');
	}
	elseif (getenv('HTTP_X_FORWARDED_FOR'))
	{
		$ip = getenv('HTTP_X_FORWARDED_FOR');
	}
	elseif (getenv('HTTP_X_FORWARDED'))
	{
		$ip = getenv('HTTP_X_FORWARDED');
	}
	elseif (getenv('HTTP_FORWARDED_FOR'))
	{
		$ip = getenv('HTTP_FORWARDED_FOR');
	}
	elseif (getenv('HTTP_FORWARDED'))
	{
		$ip = getenv('HTTP_FORWARDED');
	}
	else
	{
		$ip = $_SERVER['REMOTE_ADDR'];
	}
	return $ip;
}

function insertIPLogins($userid,$userip)
{
	$database = Database::getInitialize();
	$time = time();
	$stmt = $database->query("INSERT INTO iplogins (iplogins_userid,iplogins_userip,iplogins_timestamp) VALUES (?,?,?)",[$userid,$userip,$time]);
	$result = $stmt->results();
	return $result;
}

Code:
CREATE TABLE `iplogins` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `iplogins_userid` int(11) NOT NULL,
  `iplogins_timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `iplogins_userip` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1
 
Last edited:
"(still lacks brains)"
Loyal Member
Joined
Sep 2, 2011
Messages
2,371
Reaction score
1,361
Rather than saving every IP address for every login, you should compare the IP that's logging in with the one that is in the registered IP column (if it still exists) and if they are different then save it and possibly inform the user via Email. This will minimise the size of the table too :)
 
Joined
Aug 10, 2011
Messages
7,401
Reaction score
3,299
Rather than saving every IP address for every login, you should compare the IP that's logging in with the one that is in the registered IP column (if it still exists) and if they are different then save it and possibly inform the user via Email. This will minimise the size of the table too :)

Maybe start of with picking the correct data types before complaining about table size. Storage is cheap anyways nowadays.
 
Joined
Jun 23, 2010
Messages
2,318
Reaction score
2,195
Just because it is cheap doesn't mean you shouldn't try to minimise the size of the data.

I like the idea, but instead of using the registration ip to check on, I suggest the latest logged in ip.

Also, if size is really a problem, the table can be normalized more by extracting the ips into their own table and use the iplogins as a linking table. No duplicated ip values and reduced the record size of the iplogins.
 
Newbie Spellweaver
Joined
Dec 15, 2016
Messages
24
Reaction score
3
Why are u using varchar for userId ? Why not use int(11)



Also why are you throw public error for any one to see ? maybe add check for if production or not ?
 
Junior Spellweaver
Joined
Feb 6, 2013
Messages
196
Reaction score
25
Why are u using varchar for userId ? Why not use int(11)



Also why are you throw public error for any one to see ? maybe add check for if production or not ?

Oh damn, it was just a mistake to use vachar for userid, will update now.
 
Joined
Apr 30, 2007
Messages
2,337
Reaction score
1,547
If you truly want to protect your players accounts, code a two-factor authentication system. Takes half an hour at the most and Google Auth is widely used and accepted, and has many libraries open sourced for you to use.

Also, another great way is to not store the ip (hello, dynamic ips??) but to store the last geographical location they signed in from, and compare it to the one they are currently signing in with. Cookies may come in useful too if you're really lazy.

Just because this is a private server CMS doesn't mean you can't use proper standards in account security. C'mon people.
 
◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜
Developer
Joined
May 29, 2007
Messages
2,167
Reaction score
898
You're getting there but logging every request is a bit ridiculous and would just generate a lot of noise.

It's common to log the IP-Address when an user authenticates since you can assume that it will not change during it session. Even if it does change, then it will most likely be a normal user.

Check out the feedback, and try to properly set the datatypes inside the database. Oh btw you can store an IP-Address in a varchar of 45 which is the size of an IPv6-address.
 
Joined
Sep 10, 2011
Messages
778
Reaction score
138
I was about to say the same thing.

And

Code:
mysql_query()
You can't use mysqli* with Rev, unless you want to waste time converting the whole damn cms to PHP 7 which is useless; as it's all a retarded pile of outdated code.

Logging IP's is kind of useless: You could send an email to have someone verify their session if the IP is different, or add a query ensuring the IP has not changed on each user request to prevent session hijacking :p
 
Back
Top