I have a table temp_views which stores temporary views (for an hour) based on the ID of a post, the IP of the user and their user agent string.
SELECT COUNT(*) as viewed
FROM temp_views
WHERE showcase_id=:showcase_id AND ip=:ip AND user_agent=:user_agent
Both the IP and the user agent are stored in the table as simply TEXT. (Should I be doing that another way?).
If viewed is 0, then it adds a view - otherwise it does nothing.
What I'm wondering is, can this be "gamed" at all? If the IP matches but the user agent doesn't, then it will add a view. Can the user agent be spoofed easily or something? (A view is added asynchronously with Ajax as the user scrolls down the page).
Additionally, is this slow/inefficient or is it okay?
There's actually no 'for-sure' way to check for unique views.
For IP Addresses, users can modify their IP Address using VPN, proxy server, etc.
For User Agents, users can define their own user agent, usually in Developer Options. Even in iOS, there's a Request Desktop Site in Safari.
For storing Cookies, users can also delete the cookies thus each page visited will result in 1 view count.
Thus, there's no foolproof way to detect unique visitors.
One way is to store a Cookie in the user's browser, thus if the Cookie is found, the IP will not be recorded. Even though users can delete the Cookie, usually people won't do that. It would be more accurate than using IP only.
The only way to distinguish different users that can't be spoofed easily is by requiring them to authenticate.
The usual way to track users is with a cookie. Users can delete cookies, so it's not perfect, but they generally don't.
When the user connects, check whether the tracking cookie is set. If it's not, generate a random string, set this as the cookie value, and insert it into the database. If it's set, search for a row in the database with this value.
You should not rely on user agent, it is sent by the client, it can be defined by the user in the browser, the cURL client, etc. One user who would like to increase this counter may perform an infinite number of requests with random user agents, even from the same IP address, and fill your database with fake data.
For example it can be done with a Firefox add-on.
I suggest to use only the IP address in order to distinguish visitors. It's much harder to change the IP address (using a VPN is not easy) than change the user agent. The numbers will be close to the number of actual visitors.
Related
I'm building a PHP webpage which has a Button to download an image. I want to restrict unsigned user to download this image 3 times only.
I don't want to use neither Session nor Cookies because the user can delete his cookies!
I want to use IP, so I used the $_SERVER global variable but the problem here is the IP Address is changeable. It's dynamic and change every period of time.
So What should I do?
Not all IPs are dynamic, this depends on the ISP. Your problem is identifying the user uniquely, which is impossible to do without requiring users to log in. No matter what you use, IPs, cookies, sessions, client side scripts to do browser fingerprinting or store tokens in the localStorage, a skilled used will always manage to get over your protections.
You can only make it difficult for the users:
run a client side script to create browser finger print - https://github.com/Valve/fingerprintjs2 - and send it to the server to help you identify the user
generate a server-side token and send it to the client and store it in the localStorage and send it back to the server
store the IP of the user in the DB
use session / cookies to add an extra layer of security
use an hidden iframe to load code from a different domain you own and add extra cookies from there (sometimes users don't delete all the cookies, just those for your site)
put captchas before the user can download an image so that you're not scrapped by bots
Using a combination of all the above will make it annoying for an user to download pictures from your site without creating an user account, but not impossible.
I would like to redirect the user only if they are new to the site and have not visited it before.
What's the best way to do this? Could we create MySQL db storing IP addresses and then check against it?
Thanks
You could do IP addresses, however many people have Dynamic IP addresses from their ISP, and so it wouldn't be very accurate, and would also not work if they visited from a different location, say a mobile or tablet device roaming.
The other method would be to set an endless cookie on users who have visited, which you could check, but again if the user switches device, there is no guarantee the cookie will be present ( I know chrome syncs cookies between devices as long as you are logged into the browser )
So really the answer to your question is, its not possible to guarantee the user has never visited before without using user provided data, i.e. a login..
I am creating a simple module of like/dislike. My site has no login system, which means the visitors are not the logged in members..
How can I log their LIKES/DISLIKES, so they can not repeat the same action again and again for same post?
Can i log their unique IP or mac address..
any help?
IP/MAC is not perfect as it will identify different users in the same household as one.
Cookie is not perfect as they can easily be cleared (or the user can just use a private/incognito mode)
The best solution I've found - yet still not perfect - to identify users without a login is to use a long lived cookie/session as well as storing session ID, IP and User Agent along with the like/dislike ID to enforce any rule you would like to set.
From this answer, evercookie is also an option to explore.
In PHP you can use
$_SERVER['REMOTE_ADDR'];
to log their IP address, you can also create a session in their browser in case of IP change where the users IP is not static
Use cookies. Check for cookie before voting and set cookie after voting. It's not perfect either, because user can delete cookies, but if you want to be 100% sure then you must have registered users.
I have been considering the problems arising with user authentication, using sessions/cookies and the security risks that come up with session hijacking. I understand that using a secure https:// is the most effective method, as well as regenerate_session_id() and using a random string for validation (amongst numerous additional procedures).
My question is this: is there a possibility to incorporate a method that forgoes sessions and cookies, and uses just database held variables?
Here is how I would set it up:
-Have a column in the user table that can hold an IP address, and one that would be a Boolean.
-When the user 'logs in', set the current IP address of the user into the database, and sets the Boolean value to false (if the user doesn't want to be 'remembered') or true (if they do).
-On page load, it checks the current IP address with the one stored in the user database. If it matches, the user is considered valid.
-On window close, the script would then clear those values and the user would be 'logged out'.
-If the user wanted to 'stay logged in' (which I know is a huge security risk) then a toggle (the Boolean value) would simply deactivate the log out script and the IP address would stay stored for the user.
What would be the fallbacks to such a method? Is it even possible?
IP addresses are simply not an accurate and reliable way to uniquely identify a user. The IP may change during the session, and more than one user agent may be using the same outbound IP.
Sorry :-)
I saw this kind of IP check on a system recently, and it was causing numerous problems with users being randomly disconnected all the time (whenever their dynamic IP changes). Just don't do that, IPs can changes so you cannot rely on them.
Most likely, you should take a look at existing authentication methods and try to implement that. Keep it simple.
The existing answers saying "dynamic IP is an issue" are absolutely correct. Consider a mobile device connected via 3g. each time the user walks into range of a new tower their IP changes...
I want to keep track of a user so they don't vote twice in a poll. I don't want to use an IP address because the application I'm creating is targeted towards a campus and many people will have the same IP address because the wireless network uses NAT. Also, I don't want to use cookies or Session ID because those can easily be deleted.
How can I do this? Or am I out of luck?
I've looked at this question: How to identify unique user?. There are some answers that say that browser fingerprinting could be a way that Urban Dictionary prevents multiple votes. How would I accomplish this?
EDIT: One thing I certainly can't have in this application is user login. It defeats the purpose of the app.
I'm going to assume browser fingerprinting is reading the user agent string, which is not reliable as the user agent string can be changed in most browsers these days.
If you're wanting to uniquely identify a user, then only allow voting by logged in users, and if it's targeting to a campus only then all students will have an email address, i.e. first.last#schoolname.sch.uk or whatever your domain is.
Individual techniques may not be powerful enough, but combined, they could be very useful.
For example, you could say:
if IP is the same AND browser is the same AND operating system is the same
OR
cookies are present
Then disallow voting. Obviously, There are many more techniques that could be used in conjunction with this (such as browser fingerprinting).
Another option would be to simply require users to be logged in to vote, and ensure that each has a distinct email address.