WHMCS - Extended Login Tracking

Aldryic C'boas

The Pony
WARNING:  _NEVER_ under any circumstance run untested code on your production deployments.  WHMCS will issue you a development license if requested:  _ALWAYS_ test unknown code in a development environment before use on production servers.

Those of you running WHMCS know that you can view the last login of any given client - but I found it more helpful to have a login history for individual clients.  Tracking duplicate accounts, compromises;  there are plenty of reasons why you would want more than simply the last IP someone has logged in with.

For those interested, extending login tracking is quite simple.  To start, login to your SQLd, and run the following query:


CREATE TABLE tbllogins (clientid INT(10), ip VARCHAR(15), date TIMESTAMP DEFAULT CURRENT_TIMESTAMP);
CREATE INDEX idx1 ON tbllogins(clientid); CREATE INDEX idx2 ON tbllogins(ip); CREATE INDEX idx3 ON tbllogins(date);

You can use DESCRIBE tbllogins; after to confirm successful creation, and should see the following:



With this done, you need merely add the following script to your /WHMCS/includes/hooks/ directory;  I've used the filename logins.php:


<?php

function track_logins($vars) {
mysql_query("INSERT INTO tbllogins (clientid, ip) VALUES ('". $vars['userid'] ."', '". $_SERVER['REMOTE_ADDR'] ."')") or die(mysql_error());

// Trim logins to 30 latest
mysql_query("DELETE FROM tbllogins WHERE clientid = '". $vars['userid'] ."' AND date NOT IN (SELECT * FROM (SELECT date FROM tbllogins WHERE clientid = '". $vars['userid'] ."' ORDER BY date DESC LIMIT 30) alias)");

}

add_hook("ClientLogin",1,"track_logins");

?>

(EDIT:  Yikes, looks like IPB didn't want to add the linebreaks.  I've posted this same script at http://pastebin.com/YVm2bPmz for easier reading)

With this added, the last 30 logins of each client will be stored.  You can change the number of logins you wish to keep per client simply by changing the LIMIT 30 to the numeric of your choice.

Give some time for the table to populate, and you will be able to see what IPs a client has logged in from:


SELECT ip, date FROM tbllogins WHERE clientid = '123';

as well as which clients are logging in from a particular IP:


SELECT clientid, date FROM tbllogins WHERE ip = '1.2.3.4';

Those of you that are comfortable with editing .tpl files can even make this a nice pop-up report in the Admin area.

Disclaimer:  Due to how WHMCS hooks operate, using the `Login as Client` function WILL add that administrator's IP to the client login history.
 
Last edited by a moderator:

ryanarp

Catalyst Host
Verified Provider
Awesome Aldryic! So glad to see you contributing these kinds of very useful additions to WHMCS. And thanks Damian for posting alternatives. Already seeing better things posted on VPSBoard. 
 

SeriesN

Active Member
Verified Provider
Where is the thank you button again?

Wait there is :). Thanks Aldry and Damian.
 

KuJoe

Well-Known Member
Verified Provider
Just an FYI, in the Pastebin code it says "ipaddr" instead of "ip" on line 4 which throws an error if anybody tries to login. I've also changed this addon to work with this update.

Just copy the code from the pastebin below and paste it into a PHP file and add it to a folder in your /WHMCS/modules/addons/ directory (I am using the default /WHMCS/modules/addons/search_ip/search_ip.php from the old addon.

http://pastebin.com/V1kK0rZU
 
Last edited by a moderator:

Aldryic C'boas

The Pony
Just an FYI, in the Pastebin code it says "ipaddr" instead of "ip" on line 4 which throws an error if anybody tries to login.
Yup, sorry about that >_<  My production database is has the column labeled as ipaddr (for consistency with Demi and a few other tables), and it's actually an unsigned integer, not a varchar :p;  I'd just simple'd it up a little bit when I wrote the tutorial.  I'd corrected the mistake in the post above, and forgot all about the damn pastebin.. thanks for pointing that out boss :p
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
Version 2.0: Check last login IP and if it matches new one, simply update the timestamp of last login rather than recording a new one. After all, different IPs are where it gets interesting.
 

KuJoe

Well-Known Member
Verified Provider
Version 2.0: Check last login IP and if it matches new one, simply update the timestamp of last login rather than recording a new one. After all, different IPs are where it gets interesting.
I think the timestamps have their own benefit.
 

Aldryic C'boas

The Pony
Version 2.0: Check last login IP and if it matches new one, simply update the timestamp of last login rather than recording a new one. After all, different IPs are where it gets interesting.
Not always.  I've used login tracking to deal with abuse cases as well.. "but I wasn't using the VPS or account then, it couldn't have been me spamming" 'And yet my access logs say different...', etc.

I do have a separate table and module running that handle audits concerning where IPs change, patterns, predictions, etc... but that's a whole different monster from simple login tracking.
 
Top