This can be set up independently from the software? ie just put the right cookie code in the templates. Has anyone done it? If so could you give me some pointers on how to set this up?

Banning by ip isn't enough, some users are on randomly assigned ip blocks. Some people say there's no point in a cookie based ban, but this is crap as there is no 100% way of banning users. All you can do is use all the methods at your disposal. Many web surfers are ignorant and this is what you rely on with *any* method.

Is it as simple as placing the cookie code on the login page? If a banned cookie is recognised on the users machine it can display an "error has occured" message or something similar?

Jason

Any more on this?

Jason

A cookie-based ban is, as you mentioned, an exceptionally weak form of banning, especially considering that the sort of person who will typically end up being banned is also the 1 in 10 people who know how to clear their cookies to evade a cookie-based ban.

That aside, the easiest way to do this would be to put a hook on auth_run_command that returns -1 if the cookie ban is set. As for setting the ban, it can't be done in a template simply because by the time the template is parsed, the HTTP header has already been printed. You'll also need a hook, although you could probably handle setting the cookie in the same auth_run_command hook.

---

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com

Has anyone tried this? I'd appreciate a more step by step guide to implementing something like this, as while I get the gist of what you're saying, haven't a clue how to set it up.

Jason