Login / bans / flood / etc

[DungeonMaster]

I am almost done custom editing my game but there is one thing that still bothers me, I feel it is a bug: the way the system handles banning and flooding.

Here is one example: I have set users to stay logged in for seven days yet each day I have to login.

As Admin I got my account locked for flooding then when I waited the 15 mins (I do this purposely to see if it will unban me) I tried to login and instead of getting in it just reloads the start page. Then when I login again it tells me I logged in too many times.

In the end I had to go to the bad_trials table and delete the row with my IP to get into my own game.

When I am finished customizing I will test this further because I believe it can be a real annoyance to a user.

I still STRONGLY believe there needs to be some kind of indication of the tries and time left for someone otherwise they will just keep trying and trying as most people do without any patience.

[a_bertrand]

The engine is currently not meant to keep you logged in. First of all, it uses PHP sessions which do no last for days. Second, the engine itself have a timeout in the session which kills the session after a while. Both could be changed of course, but that's up to you, and you will have to touch the index.php file which means you may have to change it every time you put a new version.

For the bad trials, this is coded in the login module. You can tweak it if you want, yet I can add the display of how many trials left you have and let you define how many trials your game have (via config). BTW it is said how much you need to wait: "Too many bad trials. Please wait 15 min." and each time you try it resets this to 15 min...

Edit: after thinking about how to keep somebody logged in, I think it's possible to do it via a new module which would keep a cookie and do the login for you as long as the cookie is valid.

[DungeonMaster]

From experience most people hate having to keep logging in, especially if they frequent a game often. if people get frustrated with login they give up and leave. I understand this may be good for security but if its too 'tight' then we are chasing people.

I know it shows you have to wait 15 minutes but it does not say you have x time left like lets say the mine or work module. So what happens is someone comes back, thinks they have the 15 minutes passed and try to login but their further attempts keep increasing the 15 minutes so what is 15 minutes ends up being 30, 45, etc.

The same is true with the incorrect login (bad trials) it should say you have 1 of 3 tries left, etc.

[a_bertrand]

There is good reasons why the session is not kept alive, and believe it or not, I run a game myself since a good number of years, so I know very well what can make people leave and what not. The reason is that the home page should give info, news, and not simply be a nice landing page like most mafia games do.

For the timer, sorry no way, as if you close the page, and come back what should it say, you still have 2 min to wait? How does that work via session as you are not logged? However I can show how many trials left you have.

[DungeonMaster]

Well how does the script know whether your 15 minutes is up? Via IP check from bad_trials table? In this case it will just check time and show difference for that IP.

Same with how many tries made, what keeps track of that, once that is known then a result can be given. When I'm more familiar with the way you have coded it I can probably give more suggestions however right off the bat with the way it is now it can send someone in circles and 'out the door'.

[Dominion]

The number of login attempts you have left should be fairly easy, and as for staying logged in... it would have to be more along the lines of auto logging in again. Seems pointless when most browsers allow you to save the username/password anyway. You save what 1 click?

 

For the timer, sorry no way, as if you close the page, and come back what should it say, you still have 2 min to wait? How does that work via session as you are not logged? However I can show how many trials left you have.

You save the IP anyway so you could just check that against the time left, and display it.

[a_bertrand]

Indeed I could re-use the IP info. For the login, nothing prevent to have a checkbox to save the username and password even if needed.

[DungeonMaster]

Exactly. This is also very useful to help the user ascertain what is wrong with them not being able to login: was it the number of tries, was it because they still tried to login even though 15 minutes was not up yet and another aspect that some may have: cookie blocking.

[a_bertrand]

Cookie blocking will basically kill the engine DungeonMaster: as sessions in PHP relies on cookies.

[DungeonMaster]

I know that, you know that but the end user will not and it is only through having more detailed messages can we figure out why someone cannot login. For instance, did you wait the 15 mins? Did you use up all the login tries? Do you have any cookie blocker on?

Perhaps even that can be added: "It appears you might be blocking cookies from this site. Please enable cookies as they are essential for game play."

[Dominion]

You really don't need to check if cookies are supported. If you want a message saying "This site is using cookies do you agree" (many sites do now) then do so.

As for the bad login trails the login is one page you should edit per game making it unique. This little issue has a query you can use already checking how many trails so it's not even that much work for you. Same with how much time you have left, simple query using the IP saved in the table.

The ability to stay loggedin seems silly to me. It doesn't save more then a click to login. I'm honestly not seeing the point.

Try the edits yourself. Support is here if you need it, but it's not really an engine bug in my opinion.

Edited June 4, 2013 by Dominion

[DungeonMaster]

I'm honestly not seeing the point.

I notice you like to say that around here a lot. Seeing is relative isn't it?

My first post in this thread described what I went through as Admin, I can well imagine what I will put up with if I let users in.

And, yes I can code this system inside and out until it does not even look like NWE anymore but the point I was trying to make was an even flow especially where updates are concerned, this goes back to this thread and why I cam to NWE in the first place Oh oh! I decided to go with NWE and....

Nevertheless my idea is shared.

[Dominion]

Well... I say that when I don't see the point. :p For this (staying logged in) I don't see why it would need to be in the engine itself. As A_b said it can be done via a module.

I do see the point in both the other suggestions. Attempts left is, as I said, something that already has the Data there, just need to display it. Time left you need to check the IP of the user, but again, it's mostly there. It's hardly recoding the engine in and out.

As far as updates go it's not my engine so I can't comment. I was simply giving my opinion as you where. :)

[a_bertrand]

Updated the login module. It now let you define how many trials you have, shows how many left, and shows the time to wait. I hope that makes you happy ;) If you checks what I modified, you will discover that the modification is not all that big.

I just want to make clear something: NWE is an engine, not a pre-made game, and has NEVER been advertised like a pre-made game. It's YOUR (as game owner) duty to make it fit your needs, and you cannot expect NWE will fit 100% your idea. It offers a framework to build upon, and as most can say here, I'm listening wishes and try to bring them into the engine if they are generic enough and make sense in MY opinion.

When you share your ideas / opinions, it's your ideas and opinions and it may fit or not what I have in mind. However nothing prevent you to dig into all NWE files and change them to make the game you have in mind. Of course if you change a file which may be changed in a future version of NWE, then it's your call to either skip future versions or apply the changes by hand. BTW if you copy rename a module name before modifying it, you will make sure that none of the upgrades will ever overwrite your modified versions of the modules.

[DungeonMaster]

Thank you Sir, will test it and report back.

[DungeonMaster]

I found the bug.

Instead of stopping the User from logging X minutes it stops them for X hours.

See, the recent changes was able to show what was happening.

[a_bertrand]

So is the new version working better?

[DungeonMaster]

No, like I said this was a bug that I'm surprised no one has found - that is what the former and new version gives. It is not based on minutes but hours that is why there are many login issues.

[DungeonMaster]

Also, I do not know if it is supposed to work like that but if you reload the page or try to login again it resets the counter as though the person was just locked out.

[a_bertrand]

If you reload the page it just submit again, so it's normal it resets the timer as it is like a new trial. And oddly for me it works fine it counts minutes not hours.

"Too many bad trials. Please wait 14 minutes 43 seconds."

I'm not able to reproduce your error here.

[a_bertrand]

Could it be that your MySQL and your PHP do not use the same timezone? And therefore works with different timestamps?

[DungeonMaster]

I can look into that but why not just use server timezone why would it check both?

[a_bertrand]

Because it's mysql putting in the timestamp, not PHP, therefore we could have a difference there. Otherwise I don't see why it works on my side and not on yours.

[Djkanna]

Also, I do not know if it is supposed to work like that but if you reload the page or try to login again it resets the counter as though the person was just locked out.

Reloading the page resubmits the data. ( if you don't resubmit, the counter doesn't show anymore )

Resubmitting invalid data will reset the counter as a 'new' lockout, makes sense to me.

*Also it's on minutes for me.

EDIT: A_B in before me, must refresh before hitting send.

[DungeonMaster]

Is your server set to your local time zone?

Server is UTC and also Mysql, also in the game registers UTC yet it adds additional hours instead of minutes.

Something to note: When I purposely flood the time set in bad_trials table is the UTC time which is 4 hours ahead of me but then why will it show me 4 hours instead of the 5 minutes I set it for?

Something is not correct.