I am writing a voting plugin for my Wordpress site. I would like for a client to be able to vote without logging in. What I have done is I have used $_SERVER['REMOTE_ADDR'] to only allow each client to vote once. Since the voting also uses AJAX, the voting is quick and easy.
However, I have run into a problem with mobile devices as they don't have unique IP addresses. What solution can I use to make sure that people cannot spam the vote button (or if someone double clicks on it, that two votes are not registered etc.) on a mobile device?
This does not need to be a fool-proof method. I realize that $_SERVER['REMOTE_ADDR'] is not foolproof either (although if anyone has any fool-proof ideas that can be implemented easily, I'd love to hear those as well).
Related
I've build two seperate browsergames and I want them to share the same login system. So that if you have one account which you use for both games. I want this because of payment reasons (if they buy something I have to pay per website so I want all payments to come from one website) and user experience (why sign up multiple times?).
But when they first sign up and login I do not want to redirect them to the centralized system because I want the sign-up/login-proccess to be as simple as possible because I'm afraid they'll lose interest.
So I was thinking about letting them sign in to the website normally and then using cURL to send the requests to the centralized website by building an API.
I am however wondering if this is a good approach because none of the websites are on the same network. I guess I'll have to build the centralized login system in such a way that it only accepts requests from the domains the games are on. But are there any other things I have to worry about? How should I send for example passwords? Because sending them plain text seems like a horrible idea so I guess I'll have to hash them on the side of the game. I guess I'll have to make a small copy of the users table for for example the username and user_id.
I don't want to use for example OpenID or Facebook Connect or something because that does mean redirecting to an external system (which is bad for user experience) and the average age off players on the website is about fourteen, so they have no clue about OpenID and I don't want to force them to connect their Facebook accounts to my websites.
Also I'm sorry if I'm unclear or writing in bad English, I'm not a native and having a hard time expressing myself the right way.
Thanks in advance!
If I were you, i'd create a API for registration system.
Website A (game1) uses that API to create accounts and verify them, same does the website B.
API would validate data, respond with errors (username taken etc), or return success messages. It should be protected (LAN access only or some authentication)
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
I'm designing a simple web app for some elderly family members, 1 of whom has Alzheimer's. The end goal is to provide them each with a tablet (probably Android but irrelevant for this problem) that would be stripped down to ideally 1 bookmark on the home screen which opens my web app.
What I am looking for are ideas on how to identify the user without the conventional username/password methods. With their condition I know that remembering an username is going to be almost impossible, let alone a password. Ideally I would recognize the device and relate that to a specific user.
There will be other users on the app that access it through normal methods (username+password on PC/mobile/tablet), which I'm handling with Zend_Auth. It's just these 2 users who I am concerned about identifying.
Security isn't a huge concern as the data will not be sensitive in any way, but I still need to differentiate between users.
I am building this in php with Zend Framework. I'm really looking for more ideas than specific code, although anything based in php or javascript would be great. Any ideas or suggestions would be greatly appreciated. Thanks for your help
These advice are only valuable if security is not an issue :
On the bookmarks page, insert a token in the link, which you will use to authenticate the users.
if you can, check in the background for IP/user agent (if there is only one device that needs this simplified auth process, and assuming it's connection uses a fixed IP address)
And a simple idea if you have multiple users using the same device :
on your bookmark page, put a picture of each user
make it clickable, with the token discussed above in the href of the link.
That's simple to implement and easy to remember.
Hope that helps !
I am a web developer and I want to design a commercial website to sell a customer's product. Sell and buy activities are important and I need to maintain user activity information to keep the site secure.
I want to write a dynamic website. I want to control all user activity and then decide whether to save user activity information in a database. Some of site's visitors are registered users and some are anonymous. I want to save online information such as ip address, username, page name, and date/time for my registered users.
I want to know:
How do I save a user's IP address?
What more do I need to save?
Saving each HTTP request details into database will work for low traffic web sites, but you will have performance issues in case of popular website, since writing to database in relatively slow operation.
Why not to use server HTTP logs instead?
All HTTP web servers create plain text log files which record remote user IP address, URL requested, etc. You can create activity report by writing your own script or using log file report tools. AWStats ( http://awstats.sourceforge.net/ ) is one of the most popular open-source tools for this.
On client side you can use Google Analytics to track user activity. It also provides means to track custom events:
_gaq.push(['_trackEvent', 'login', 'user_login', "custom data"]);
More info at: http://code.google.com/apis/analytics/docs/tracking/asyncUsageGuide.html
This option only tracks users with JavaScript enabled, so it won't show bots, crawlers or users having analytics blocking addons installed.
I'm not sure I understand all of your question...but to address at least one aspect of it, if the user is behind a proxy, then you have no way of determining what their real IP is. That's the whole point. The proxy is the one making the request and then forwarding it. Without asking the proxy yourself, you cannot determine that. With regards to what else you need to save, it depends entirely on what you want to do and you haven't done a good job of explaining why you are saving this data. If you can clarify that, perhaps we can help you a bit more in determining what data you should be saving.
Edit To address your clarification, if you wanted to be crazy, you could log everything that a person does. Every link they click, every product they view, etc. I don't necessarily advocate that as I find it a bit creepy, but there are definitely sites that do it. At the bare minimum, I would suggest logging what products people look at and then what products they buy. I would also log that information on a per-session basis. Basically, what products do people look at and then end up buying on the same trip to your store. I wouldn't worry too much about the "real" IP address. Most people won't be behind a proxy and those that are, you can't do anything about anyway.
How do I save a user's IP address?
$_SERVER['REMOTE_ADDR']
What more do I need to save?
That's quite strange question. It's your application, not someone's else. How can we guess what information you need?
However, at least one issue I can point out: a page name is not sufficient to log "all user activity". Query string and POST data usually contains important details on that activity.
I am willing to implement website where will be top 10 best members' pictures or something like that. Before voting for pictures or uploading pictures people will have to register first. But how could I protect my website from multiple accounts? Store IPs to database? But will it help me while there thousands proxies out there? What should I do? Thank you.
edit: maybe I could make accounts paid, for examples 0.99$ for month via paypal and somehow do no let people register twice with the same paypal and IP? Is it possible?
Use a confirmation code that is sent to mobile no upon registration. and confirm it. like google.
You can't stop it, but you can make it difficult and do things to detect it like you said with the IP's.
You can get a lot of data from user, not only IP but also browser version, sended headers in request, even resolution etc. with javascript. Rosolve IP to region etc. But it's not simple to write a system that would search all of that data for similarities.
You can also set cookies or even do a little swf object with cashed some information on user local hdd.
You can send mail confirmation... and don't allow multiple users from the same mail!
This is fast and easy to implement :)