I have to make a Website where users can vote only once. I tried to register them in my db using their IP address with $_SERVER['REMOTE_ADDR'] but i did some research and found out that in some cases multiple users can have the same IP (using the same wifi or the IPS sharing IP's between them). Also, i don't want them to make an account to be able to vote, or log in with facebook, google, etc...
Is there any way to do this with PHP?
Just have a quick glance at https://github.com/samyk/evercookie. Your search will end there.
You can store to DB a fingerprint and then compare it like you did before with an IP address
https://github.com/Valve/fingerprintjs
or u can make your own fingerprint by storing user's device, it width,height,timezone,etc
But it'll fail if someone will vote with other device.
I think it must works like an Antifraud systems, but they're based on the same way I wrote.
Related
I am writing a voting plugin for my Wordpress site. I would like for a client to be able to vote without logging in. What I have done is I have used $_SERVER['REMOTE_ADDR'] to only allow each client to vote once. Since the voting also uses AJAX, the voting is quick and easy.
However, I have run into a problem with mobile devices as they don't have unique IP addresses. What solution can I use to make sure that people cannot spam the vote button (or if someone double clicks on it, that two votes are not registered etc.) on a mobile device?
This does not need to be a fool-proof method. I realize that $_SERVER['REMOTE_ADDR'] is not foolproof either (although if anyone has any fool-proof ideas that can be implemented easily, I'd love to hear those as well).
How can I get the IP of someone and then check if this specific user has already created 2 users ?
Like, if this ip: xx.xx.xxx.xx has already successfully registered 2 users then cancel his third registration.
How can I do that?
As the IP address usually will change every day, and the person could obtain a new IP address while reconnecting to his provider or he could use a proxy your solution will not work. Don't even try it!
Also note that multiple users can be members of a bigger network with one outer IP (like an university). You would allow only one out of them to create an account.
Your planned solution would lead to situations where valid users cannot create an account but hackers could easily circumvent the restriction and even better prevent others from creating an account. Again, don't try this!
IP Address Information
First you should be looking in these two server variables for your client IP address, the first one below is normally the most accurate and commonly used, you might also want to use the second however be aware that this can be spoofed by your clients.
$_SERVER['REMOTE_ADDR'] // Normally here
$_SERVER['HTTP_X_FORWARDED_FOR'] // Sometimes if behind proxy
Next, IP addresses regularly change for internet clients for a few reasons; dynamic IP's from ISP's broadband services, a users normal mobility on the internet, or people using evasive tactics to get past your IP limitation security (normally using a type of internet proxy service).
Because of this you will normally want to store the IP when the users signs up, and also update this list each time that they login to keep a IP history for that user.
Next when another person signs up for your service you will need to compare their IP address to that of your database contents, however you need to be careful here. There are plenty of valid reasons for a user sharing the same IP address, for example a work place or university will normally have thousands of users using a single public IP address.
Fingerprinting
Finally, something that I know a few services do is try to capture more identifiable information from the client than just the public IP address that they are using.
For example from PHP you should be able to capture information such as the User Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Other information like timezone, HTTP supported headers, flash version, system fonts etc... can be captured using a mizture of PHP, Flash and Javascript. Here is a great website that will give more information on this: http://panopticlick.eff.org
As you can see this information saved into your database can create quite an accurate and unique representation of a user's computer, a fingerprint. Even if your users change their IP address if you see the same combination of fingerprints in quick succession there is probably something dodgy going on.
Thoughts
So it really depends on your application, some you will want to just try discourage people from signing up for multiple accounts in which case simply logging the IP address on signup and comparing would do the job.
Others like Online games you want to really ensure that no person would ever be allowed to create more than one account, in which case your going to need to do host fingerprinting and have some cleaver algorithms to try score how unique a specific person is, and their likely hood of been one of your other users alter logins.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Unique IPs in a voting system
I am developing a small web app where it needs an online voting system using php for my college event. I was obtaining IP Address and storing it in database to prevent repeated voting from same user. But then I remembered that my college uses a proxy server so obtaining IP address is useless.
I tried accessing and storing Mac Address of the client using javascript.. I tried out a few examples that i found on the internet.. but none of them worked.
Can you guys suggest me an alternative to how can I get the results I want??
Any sort of help would be heartily appreciated.
Regards,
Aayush Shrestha
Nepal
Have them enter their email addresses and send a link to their email that allows them to vote. The link should include some hash of their email and you would have to check if they have already voted or not.
I realize that a student could enter multiple email addresses and vote multiple times, but how many emails does a student really have? And how much time would they spend doing something like that?
I'm guessing you don't have access to any sort of authentication system through your college, so this is probably the best way.
Edit:
Another idea is to use Facebook authentication (see: http://developers.facebook.com/docs/authentication/). The downside is that you have to assume that all voters have facebook accounts.
First get the user to register an email address so they can use the voting system subsequently associated with that address.
Once you have an email address (that is validated with a activation link sent to that email), then you can gather voting related input from the user.
There is really no effective, platform-independent way of preventing repeated voting unless you enforce user certificates, etc.
The only 100% airtight way to do this would be to make users create accounts that require some personally unique information to prevent a user from making multiple accounts.
The closest you can come without a login system is the Evercookie library, which stores a UUID in about a dozen different places in the user's browser. It's very difficult to clear them all out (even using a privacy mode in the browser), so if you give an Evercookie to a user when they vote, you can probably spot someone who has voted before.
Note that this stops repeat voting on the machine level, not the user level (a machine may haave multiple users, and a user may have multiple machines, which might enable repeat voters or block eligible voters).
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
I am willing to implement website where will be top 10 best members' pictures or something like that. Before voting for pictures or uploading pictures people will have to register first. But how could I protect my website from multiple accounts? Store IPs to database? But will it help me while there thousands proxies out there? What should I do? Thank you.
edit: maybe I could make accounts paid, for examples 0.99$ for month via paypal and somehow do no let people register twice with the same paypal and IP? Is it possible?
Use a confirmation code that is sent to mobile no upon registration. and confirm it. like google.
You can't stop it, but you can make it difficult and do things to detect it like you said with the IP's.
You can get a lot of data from user, not only IP but also browser version, sended headers in request, even resolution etc. with javascript. Rosolve IP to region etc. But it's not simple to write a system that would search all of that data for similarities.
You can also set cookies or even do a little swf object with cashed some information on user local hdd.
You can send mail confirmation... and don't allow multiple users from the same mail!
This is fast and easy to implement :)