Hey all,

Sorry for the weird question but just had a 'disagreement' with DH about shopping cart protection - we are implementing a new system to protect the administration area of the shopping cart and DH is thinking of adding in IP limitation as he wrote this for bespoke development project we did at the end of last year. It is top notch protection for the admin panel as for someone to gain access to it they would have to know the password and be on one of the designated computers....

However being a web based cart I know that people sometimes use a variety of IP addresses to access their shopping cart (at work / at home / at parents / on holiday).

I am wondering how people would feel if they had to contact us to enable them to access from a friends house or to remove the IP protection (obviously standard password protection would still be there) if they go away on holiday (as obviously they arent going to want to phone us to add on new IP addresses that they can connect to from each net cafe).

So a few questions for you all:
Do general shopping cart owners (ie you) know about IP addresses enough to realise that this improves the cart security (prevents people logging into your admin area other than from dedicated machines)?

Would you think this is a good security feature if it was offered?

How would you feel if you wanted to access the cart admin area from a computer you had not used before but had to phone to ask for the IP address to be added first?

How often do you actually access your shopping cart administration area from computers outside your home?


HUGE thanks in advance, would REALLY appreciate your input!
Sadie

(gathering opinions ready for when DH is back in the office soon so we can have a rational discussion instead of my opinion vs his)

How would it work for people that don't have a static IP address? For example I am with BT Internet and my IP can vary quite a bit day by day.

This would really confuse me, and put me off I think! I use my laptop at home and my office computer, and I would think it was really odd if I couldn't just do this without having to make contact with you.

I don't think I have ever come across having to do this.

Thats my other concern you see Toni :) For them I guess the IP protection layer would have to constantly be off.

Its more of an added layer of protection but I worry that we'd just never end up using it so whats the point in adding it lol!

Sadie

This would really confuse me, and put me off I think! I use my laptop at home and my office computer, and I would think it was really odd if I couldn't just do this without having to make contact with you.

When the cart is intially setup we would add the IP addresses of the computers used (so in your case your office computer and home computer IP addresses would both be enabled for access) it would just be if you wanted access from another computer that we would need to be contacted.

I did wonder if it would just confuse people - obviously I know that its top level protection for someones cart administration (it would mean that someone would have to be on your computer AND know your password in order to gain access to your store admin area), but do people feel the need for that level of protection?

Thanks for the reply :) Hopefully I'll have a variety of feedback from people before DH gets back into the office so we can have a discussion about it again without it being my opinion vs his.
Sadie

I can see the point of it in many ways but I do often log in from a number of pooters - we are often away and I do like to be able to check in and I think you could end up with a huge number of requests to deal with

Axx

I understand the idea and can see the obvious security benefits but I think it would only really work for bigger, more commercial companies where people don't generally access their "work" from anywhere other than work.

I access my cart from a lot of different places, right now from the USA, frequently from my parents, brothers, friends houses, anywhere I go on holiday or away for the weekend so it would drive me nuts having to call first.

Personally I don't think it is viable for SME's.

Are the shopping cart and the store admin in the same area then?

I can understand protecting the admin panel with IP address protection but not customers shopping carts, that would immediately make me move on and shop on another site.

And if it did include customers shopping carts then all a hacker has to do is ring for their IP addy to be added then continue on their way to try and hack the admin panel.

That would massively annoy me. I have enough of a hard time remembering my password!

Are the shopping cart and the store admin in the same area then?

I can understand protecting the admin panel with IP address protection but not customers shopping carts, that would immediately make me move on and shop on another site.

And if it did include customers shopping carts then all a hacker has to do is ring for their IP addy to be added then continue on their way to try and hack the admin panel.

No way - its ONLY for the store owner, nothing would affect their customers in any way shape or form.

The only person who could request IP changes would be the store owner - its only for the administration pages for the store itself (updating products / categories, viewing & updating status of customer orders, setting discounts, editing the website pages / contact details - that kind of thing).

It would be totally unmanagable for it to be the customers needing to do anything to do with IP address updates for their carts.

:) Sadie

That would massively annoy me. I have enough of a hard time remembering my password!

It wouldn't affect the password - you would still need to login just using the one password, and it could be stored by your browser if you opted for it in the usual way.

The cart would just detect if you were logging in from one of your preset IP addresses (ie computers) and if not would not give you access to login.

I'll compile these replies for DH to take a look too :)
Sadie

I guess if it is an option that store owners can have turned off or on then it is a good idea. Some people might only ever use one or two computers and rarely ever go anywhere and be grateful for the extra security. Others that need to log in on different computers all the time or who don't have a static IP address can turn it off.

I almost never use another pc to administer my store so would be very happy with that.

Could you have an option to send an email when a different IP address is used?

It makes sense, however I do think it would annoy me. I use quite a lot of different computers to access my admin, and I like the freedom of knowing I can access it at any time, anywhere if need be.