Managing temporary access.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a subscription based site. In the spirit of "try before you buy"
I offer test drives. People email a request for a test drive, and I send
back a temporary user name and password that gives them access for one week.

I would like to automate this process. However, without actual eyes on
each request, the test drives could be abused.

I am contemplating allowing one test drive per email address per year.
Your email address becomes your temporary user name. To insure that the
email actually exists, the user name and password would be sent to the
user via email.

I would keep the email address on file for one year and politely decline
to give a test drive to anyone whose email address is on file. Anyone
who feels they have a legitimate need for a longer test drive would be
welcome to email me.

But most people have more than 1 email address. I believe 3 is the
average. I have 8, and the ability to create an unlimited number more.
Even my GF, who is not computer, savvy has 2. There would not be any way
to prevent someone from using different email addresses to access the
site for free indefinitely.

Does anyone have any ideas to make this work smoothly while minimizing
the potential for abuse?

Re: Managing temporary access.

Quoted text here. Click to load it

I think your idea is generally sound, and you have identified the one flaw.

Would it be worth logging the IP address from which the request came? I know
that many people could legitamatly sit behind the same IP address and that
some IP addresses are allocated dynamically rather than statically, but that
might at least give you an indication of possible abuse. So if you had two
requests from the same IP address within say 2 weeks then that could signal
possible abuse - and escalate it to you so you could look at it manually to
make the call.

A few months back I might have suggested also storing a cookie on their PC
to allow you to identify the PC, but this might fall foul of the uk cookie
law. Even if you were to store a cookie to identify the pc its not

Just some ideas. Hope its useful.
 Brian Cryer

Site Timeline