Check your CCBill htpasswd file
 

check your ccbill htpasswd file on a regular basis to make sure there aren't non-paying users who still have access to your site.

last year i was looking up a password trader and discovered that he had cancelled over a year earlier but his username was still in the htpasswd file!!! so not only did he have free access for over a year, he was generous enough with his good fortune that he shared it with a bunch of his buddies! when i asked ccbill about this they said this happens if there is a problem writing to the server. when a membership expires the user is removed but if there is a problem with the connection then the user never gets removed. the entire file isn't re-written, just that line. something doesn't seem right with that but it's the story i was told.

well, after reading all the stuff on here lately about ccbill i thought i'd check again and guess what, there were 105 users in the htpasswd file that weren't paying but had member's area access!

ccbill said there's nothing they can do about it and it's up to the site owner to request a new htpasswd file each month to make sure non-paying members are removed.

check your shit!

thx a lot for sharing your experience. added to our news section

It's been a problem for a long time. I know a bunch of people that do that on a regular basis.

this is pretty bad...
they don't overwrite all the user because you might be using another billing option...

that's a good point. so it's up to the owner to make sure the file is up to date.

Whats the big deal...few guys will have free access, so what? If its few %, it isn't even worth to check.

imagine how frustrating it would be for a member who signed up using another biulling company (because they were declined by CCBill) not to be able to login because CCBILL deleted their username from the file... this pretty much sums up to why they dont overwrite all the file... but they could set up some way to warn the site owners that the member was not successfully delete from their htpasswd file...

I am sure that this problem is not only with ccbill but with any other billing that you might be using...

a few guys would be 1 or 2, not 105!

105 x $29.95 = $3,144.75/month. you wouldn't take 15 minutes out of your month to save $3,144.75 + bandwidth?

besides, that's not the point. the point is if the person doesn't get removed then they stay in the htpasswd file indefinately. that list will only get bigger, never smaller.

Those members cancelled their memberships...what makes you think they would all re-join? None of them would.

but they wouldn't share the new content on TUBE SITES...

none of them would? you need to be a paysite owner to understand how it works. people join a site for a month or two and they cancel but many return after a bunch of new content is added.

this is a normal cycle. what if the member cancelled because of money issues but loved your site. the htpasswd file issue guarantees they will never have to join again.

i checked most of the usernames that were suppose to be removed and they are still accessing the site. what does that tell you?

the issue here is if a person is not paying then they shouldn't have access, regardless of how many for how long. it's business 101. the point of this thread isn't to debate whether or not it's ok for non-paying people to have access to your site, it's to make othet site owners aware that you need to keep an eye on this. if you don't own a site then it doesn't concern you.

with maths skills like that, you should be a laywer for the MPAA

Hopefully you email all those members and tell them that there was a glitch and that you are deleting their access however then can sign up again for a discounted price and give them a discount code. I am sure you will get some that bite :)

It's been like this for a long time. If you have an outage or do a server move, you should contact CCBill to refresh your htpasswd file. We refresh our files every quarter as part of routine maintenance.

My experience with it is this:

* CCBill fails to remove about 3-5% of the usernames. Over time it adds up.

* I call it a BUG, even if CCBill is correct in saying it's our responsibility to ensure accuracy of the data on our servers. I'm fairly certain it's an issue on their end, not in my server, because I have uptime monitors up the wazoo for my server and it's seldom down. I check the Apache error logs daily and the scripts are running fine. In any case, their system should do more retries to delete the username. Their error.log notes when it can't.

* The stuck usernames seem to come in groups. I had a lot right after Christmas and New Years.

* For my membership, anyway, maybe 1/5 or 1/4 realize they can still access, and continue to log on. I can check because I use Strongbox which gives you a history of their logins.

* Some of my members actually do resubscribe later. I think a lot of people sign up for a month, leave, and come back a few months later to snag the updates. So it's worthwhile to ensure canceled members are removed, as it could mean a re-subscription down the road.

* I recorded a simple Word macro that compares the Active Member list that CCBill maintains and my htpasswd file. Takes just a few seconds to catch all the stragglers. You could do the same, or write a little PHP or Perl script or something that does it.

i just got them to send me the latest and greatest htpasswd file then i re-added all the members for the day to make sure i didn't miss anyone in the process.

I actually flagged 6 members JUST THIS WEEK for password sharing!

www.proxypass.com ftw.

It's a pain to regenerate your password file because there is no automatic way to do this with CCBill or Epoch. Globill had one, but that's not terribly helpful now. Heh.

Epoch doesn't want to send out properly encrypted stuff, so the site owner has to blank the file, have users unhappy for a little while, set up an FTP for Epoch and have them put stuff in. Then use whatever CCBill emailed to append those users.

I probably do this twice a year, but I would do it monthly, if it were less of a problematic workaround fix.

Hi Amelia.
I recently did an Epoch migration within the last month, and that was not the case. They posted all members to a URL / script of my choice.

I use Epoch's script to manage Epoch members. If I want to refresh a password file and they won't email the encrypted passes, what would a URL post be like?

What ways can you keep track of stuff this way? Anyone care to break it down for someone who doesn't know how to check this?

Ask for a copy of their 'Epoch Client Controller' script. It writes to a file or database of your choice. They will quite happily repost all the UN/PWs to it.

you can always use some password sharing detection scripts to avoid those "permanent" users from sharing their passwords...

This doesn't help remove the once-valid subscribers who are now able to access for free.

The best thing to do is either have the password file regenerated, or compare active members to the ones in your htpasswd file. Those usernames in htpasswd that aren't on the active member list can be manually removed.

I do the compare with a Word macro, but any script junkie can create a grep shell command and you can probably do it right on the server.

It's easier if you give them the FTP info and they will do it for you.

the word macro sounds like a good idea. especially for the owners with multiple cc processors.

i'm pretty handy with word so can you give some details about the macro?

yup I checked mine for the first time in a very longtime and found 30 some extra users in there that weren't removed..

I wonder why they can't report or catch when the user is not removed.. I mean when ever there is a "User Management post error (JPOST)" they send you a email to have you re add the user that didn't get added correctly so why can't there be the same type of warning for this?

But yeah for sure it's a good idea to once a month or atleast quarterly request a updated pass file for your sub accounts to keep this in check

unless you get ccbill to do it, you pretty much have to do it manually. from the ccbill admin, get a list of all the current members:

reports>members>active members

from there, select active recurring, cancelled/single, manual adds, and test sign-ups.

once you generate the report, you should have the same number of usernames that are in your htpasswd file located in the cgi-bin folder.

you can either have ccbill generate a new htpasswd file and email it to you so you can upload it to your server, you can have them do it for you by giving them ftp access or you can remove the usernames one by one from the htpasswd file.

good pojnt, there should be some kind of check for this. i guess they don't look at it as a problem because it's not like ccbill is going to get a chargeback if someone isn't removed.

I have also noticed passwords left in my files, but omg, nightmare for you that its was a wanker that wants to give your content away also! Sorry to hear this.

Thanks for the info of asking them to renew the password files. :thumbsup

Zombaio has this feature right on your control panel's homepage. It displays adds and removals and even shows you how many milli-seconds it took to perform the operation.

What??? I have lots of members join then cancel straight away to join again a cpl of months later once they have a load of the latest new content. Lots of members cancel and return!

if you find they dont, then your content cannot be what they were looking for in the first place. :2 cents:

I've added to our TODO list building a system that makes this easy, or even better
automatic, for you guys.

I know they join later...but by that time, they don't know their membership might by still valid. As already said, just a few will re-check later with their old password. Most will just re-join.

How would you know arsewithaids? You admited only getting 5 sales including rebills a month you dirty lying shitbag :1orglaugh

Not called for :2 cents:

so check if you want and dont if you dont want :)

1) Every Frog webmaster client ALREADY has THE solution to this problem now

2) Frog has interfaces with most credit card billers that "outs" invalid usernames in the password file.

3) This has been a feature in Phantom Frog since V1.0

Discover more details here

You will find a LOT of problems like this, 3rd party membership/affiliate tracking software included. Solution is to make sure your site (at least your postback site) is up 24/7/365 and that your connection to biller is foolproof.

Neither is going to happen.

I recently put in some custom member tracking stuff for a client, and this was the entire reason I added "expires" in the mysql table and have the biller postback update that field when the member renews. It's a "my glass is half full" situation since either you allow members to go on indefinitely when there is a network problem (ie they are not expired) or you get members that are expired because their renew postback didn't go through. I opt for the latter.... since a member will complain if they don't have access when they should have whereas the reverse is never true.