I am creating a simple module of like/dislike. My site has no login system, which means the visitors are not the logged in members..
How can I log their LIKES/DISLIKES, so they can not repeat the same action again and again for same post?
Can i log their unique IP or mac address..
any help?
IP/MAC is not perfect as it will identify different users in the same household as one.
Cookie is not perfect as they can easily be cleared (or the user can just use a private/incognito mode)
The best solution I've found - yet still not perfect - to identify users without a login is to use a long lived cookie/session as well as storing session ID, IP and User Agent along with the like/dislike ID to enforce any rule you would like to set.
From this answer, evercookie is also an option to explore.
In PHP you can use
$_SERVER['REMOTE_ADDR'];
to log their IP address, you can also create a session in their browser in case of IP change where the users IP is not static
Use cookies. Check for cookie before voting and set cookie after voting. It's not perfect either, because user can delete cookies, but if you want to be 100% sure then you must have registered users.
Related
Many users want a possibility to autologin when they return to my website. I just finished to implement it and I have read several artcles about this question. For example, here. I use different tokens, hashes, etc and regularry update autologin cookies un DB information associated with these cookies.
The main problem is that if user A have a autologin cookie in his computer A, user B can stole this cookie and place it on another computer B and successfully autologin to the user's A account.
My main question is:
1. How to make sure that the person who enters with autologin cookie, really is user A from computer A and not user B from computer B?
There are 2 ways how to prevent it, but none of them are very useful:
To check user's IP address. Mobile Internet users may have a different IP address every 5 minutes. So, this is not very useful. I just implemented an option that users can check a box if they want to allow autologin only from their recent IP address.
To check the user-agent. I have implemented this and tested on Firefox. Worked fine. Then I started to test it on Chrome and almost every day my autologin cookie was not valid because Chrome updates almost every day and useragent changes.
2. Is there any easy way how to remove the browser version number from user agent so that I can check just the browser, etc but not the browser version number?
I'am logged in on Facebook for a long time - probably 1 year. Have many times updated the browser but my autologin cookie is still valid. Does it mean that they don't check the user agent?
3. Are there any other methods how to make sure that user who enters my website really is user A and not someone else?
Just make sure the autologin cookie's value cannot be guessed and that it uses the HttpOnly attribute (use Secure too if your site uses HTTPS).
Checking the IP address is not worth the degraded user experience. What's the point of a "remember me" feature that breaks if I change networks? I've implemented this in my CMS a long time ago and have had many complaints since :)
Checking the User-Agent is pointless - if someone manages to get access to the cookie they might just grab the User-Agent too.
How to make sure that the person who enters with autologin cookie, really is user A from computer A and not user B from computer B?
You don't. This isn't your concern. If they steal the authentication token, they're authenticated as that user. Dead stop.
Focus instead on making it nigh-impossible for anyone to steal said token without infecting the user with malware. This means:
Use HTTPS everywhere.
Set the cookies' HTTP-only flag to true.
Set the cookies' secure flag to true.
Make sure you're using a CSPRNG.
Make sure you've securely implemented your long-term authentication and that it's optional.
There are 2 ways how to prevent it, but none of them are very useful
Neither of those prevent anything. IP addresses change rapidly for e.g. mobile users, and user agents aren't unique.
Is there any easy way how to remove the browser version number from user agent so that I can check just the browser, etc but not the browser version number?
What you're basically saying is "any Firefox user can impersonate any other Firefox user if they steal a token and that's somehow better than anyone impersonating a user if they can steal a token".
Are there any other methods how to make sure that user who enters my website really is user A and not someone else?
To be succinct: No.
I have been considering the problems arising with user authentication, using sessions/cookies and the security risks that come up with session hijacking. I understand that using a secure https:// is the most effective method, as well as regenerate_session_id() and using a random string for validation (amongst numerous additional procedures).
My question is this: is there a possibility to incorporate a method that forgoes sessions and cookies, and uses just database held variables?
Here is how I would set it up:
-Have a column in the user table that can hold an IP address, and one that would be a Boolean.
-When the user 'logs in', set the current IP address of the user into the database, and sets the Boolean value to false (if the user doesn't want to be 'remembered') or true (if they do).
-On page load, it checks the current IP address with the one stored in the user database. If it matches, the user is considered valid.
-On window close, the script would then clear those values and the user would be 'logged out'.
-If the user wanted to 'stay logged in' (which I know is a huge security risk) then a toggle (the Boolean value) would simply deactivate the log out script and the IP address would stay stored for the user.
What would be the fallbacks to such a method? Is it even possible?
IP addresses are simply not an accurate and reliable way to uniquely identify a user. The IP may change during the session, and more than one user agent may be using the same outbound IP.
Sorry :-)
I saw this kind of IP check on a system recently, and it was causing numerous problems with users being randomly disconnected all the time (whenever their dynamic IP changes). Just don't do that, IPs can changes so you cannot rely on them.
Most likely, you should take a look at existing authentication methods and try to implement that. Keep it simple.
The existing answers saying "dynamic IP is an issue" are absolutely correct. Consider a mobile device connected via 3g. each time the user walks into range of a new tower their IP changes...
I am currently creating a website that allows anonymous users to input data (or comments) into a database and allows other anonymous users to the site to vote up or down the comments presented on the site.
I have already created the functionality to allow a user to create a comment and allow another user to vote on the comment. The problem I'm having though is thinking how I can limit each visitor to the site to only vote on each comment once.
My idea was to create a session ID when the user votes and then when they try and vote again to try and compare if a session ID already exists. This would work but only until the session is destroyed. Does anyone have any other ideas of how this could be achieved?
I am assuming I might be able to use some of the $_SERVER options available
Thanks in advance
Just restrict the voting with IP's or either Cookies, i also created 3 websites in which i had to take the public voting, earlier i did it with IP's but then i changed back to cookies, i also saved IP's along with setting cookies to check if the users are deleting cookies again and again to vote, but i never had such problem, so my opinion in just go with cookies, because not everyone can find that we are doing it with cookies.
It's impossible to enforce a one-vote policy on an anonymous user system. Like said in a comment above:
Trying to control "Anonymous" is nearly impossible. IP's are shared,
sessions are temporary, cookies can be deleted
You can't identify your clients at 100%, if a user would want, he will be able to bypass whatever means you attempt to use and vote more than once.
Your only reliable option is to enforce registration and only allow registered users to vote.
If you still insist, you can try to make it difficult for users to bypass your enforcing system. Use a combination of the user's IP address, and a lasting cookie, and cross-validate against both to ensure the user doesn't vote twice. But again, do note that a user can easily delete cookies and on most cases, change his IP address.
When you are inserting comments for specific article, store the member (who is commenting) id or name or any thing unique. Put the verification code before inserting the comments ....
Select * from articles where member_commented_id = [current_member_id_from_querystring) and article_id = member_commented_on_article_id
//a check point
if result is > 0 .. its mean member already has commented on this article
//otherwise
add comments on article and insert member id as well for checking
// if you are using seperate table for comments then you have to make additional field in table like
comment_id, comment, com_date, member_id_who_commented, article_id_on_which_commented
Making IP or Cookies check point is not reliable because IPs are changed by the ISP (if set to dynamic IP) and Cookies can be cleared by visitor
Hope this helps you
I would like to make a voting system for my site. I need to check whether a user has voted already. Do I need to store the IP of the user or do I need to store a cookie in the users computer, then make validation if the IP is already used for voting or a cookie is already stored to the user's computer.
Neither of those will give you a flawless script because the user can still clear the cookies or browser a proxy to revote. However I would use both cookies and ip-adress in case the user have a dynamic ip adress or clearing the cookies.
I would suggest do both, as an IP can change and a cookie can be deleted.
Also if you want more accuracy, you can use Flash's LocalSharedObjects also known as FlashCookies to store whether a person has already voted or not. Much less people could/would delete these on regular basis.
i think the best way is have a user registration system to store user information like polling and etc.then you can easily check that user voted already or no ? this way is more secure than others.but for other option that you can consider,you can store user's mac adress.the mac adress is better that ip and cookie.but storing all information help you to have a good vote system.
What is the best way for storing users IDs or usernames so they will not have to login every time?
I want to forward user to the members page if the stored ID or username is compared with the one stored in database.
Is is safe to do it using cookies and how can I do that?
Don't store their username or password in a cookie. Always assume that everyone on the internet can see every cookie on a person's computer. What you should do instead is save the session_id and the IP address they accessed from to your MySQL table, then save the session_id to a cookie. Most browsers will clear session variables when you close the window, but they will not clear cookies. Therefore you first check the session (are they currently logged in), and if they're not logged in then you check the cookie (were the logged in before, and more importantly- was it from this IP address?)
Of course if they have a session_id but they're not at the proper IP address, make them log in. They could just have an ISP with dynamic IPs, or they could have been listening to network traffic and they're trying to get into the admin user without a password.
This feature should be optional to let people log in from internet-cafe and such, not leaving their data open to everyone.
Yes. a cookie is the only possible way to mark a browser.
You have to store some uniqie and unpredictable value there. Generate some hash out of user's data, store it in the database along with other user data and set it as a cookie
The safest way is to require a valid SSL certificate from the browser, and validate the user-agents certificate server sided. However, in any browser I've seen installing such certificates is a big enough pain & hurdle for users that it's probably not suited for a public website. It can however sometimes be seen in intranets.
I just wrote this solution for anyone else who is interested.
http://rabbie.id.au/my-elegant-remember-me-solution-using-php-mysql-and-cookies/
With my sites, I use a custom written Session class. This stores a sess_id and sess_hash in a cookie, which is unique for the current user. An IP address is also stored in the database, and checked against the current IP to verify it is the same computer, but that is not the main authentication mechanism. Data is then stored, serialised and base64'd in the database. I would advise against using PHP Sessions, because they can be accessed by any user with the ID. Someone posting a link to something with the PHPSESSID in it, can, for example, let them log into their account.