I'm making a survey site and I'm trying my hardest to avoid user logins - I want people who answer my surveys to be anonymous members of my university, who open a link and answer the questions directly. So I'm tracking questions/surveys finished by the user through session variables
But what I don't want is one user submitting tens of questions/surveys by clearing cookies and thus effectively resetting his/her sessions. Anyone know how to deal with this?
(If anyone thinks of other ways by which people can make multiple submissions, let me know that too! I'm also looking at articles to prevent same users using different browsers)
Never trust the user. Ever.
You have a few options. All have pros/cons
By IP address - limit responses to 1 IP address per computer. This suffers from dynamics IP address problems as well as only response is allowed per computer that holds its IP for long periods
Send single use response token - Send every respondent a unique link. Each link contains a single-use token that may be redeemed to take one survey.
Collect their email address - Redact this information in the results. I'm not sure of your setup, but I thought I'd mention this in case you're just the data middle-man
Related
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
I am developing a program to that only allows the same computer to view a specific page once, and after that I am blocking access to that page.
My question is, the IP address works ok but some users have a new IP every time they visit the site. I have come across other sites in the past that use some other means of tracking users, as even with a different IP on the same computer I can't view restricted content.
Anyone have any thoughts?
What are the other option(s) to the IP Address?
The best you can do is tie up the functionality to a user account. That way, you have control over what the user sees.
Tying up to a machine isn't reliable.
IPs change frequently or can be spoofed. What if the user used proxies?
UAs can also be spoofed
Cookies can be disabled or deleted
LocalStorage can also be deleted and is not widely supported
Basically, a user has all the freedom to be free from your restrictions unless they opt to sign up with your service. That's what you call privacy as well.
And did you ever think when users share PCs? What if your dad got blocked on your laptop? You can't view it on your laptop anymore.
There isn't one method that you can use to be unique to any one computer.
You can set a cookie on that browser, but the user could use another browser or just delete the cookie.
There are 3rd party services that run a flash module to get computer specific data to create a guid that you can use, but that's more expensive and also requires the user to load your flash module, which means it wouldn't work on some mobile browsers.
If the page is not public and sent to the user (ie by email), you can generate the URL with an ID, and them invalidate the ID once that the page is visited.
This is the usual approach used by email validation pages.
I'm currently working on my Referral System, but I have a problem with protecting it of frauds.
Okay, here's how it works for now:
user registers and activate it's account
user now have access to the control panel and there is it's uniqe link in following format: domain.tld/ref/12345
when someone other click to user's link, he or she must to click a specific button to confirm that is not some kind of fraud (like "click here, you'll get $100" or something)
system writes visitor's IP in a database and some data to cookies to prevent re-pressing the button. User now have +1 point.
But, the problem is that visitor can change it's IP, clear cookies and hit button again. It takes a few seconds, and that's not OK, that's cheating.
How to prevent it? Is there some trick to get some unique computer ID or something can't be changed that easy?
Really the only options are to tie the process to something which is not so easily manipulated by the user - super cookies, browser fingerprints, OpenID, Email addresses and telephome numbers (the latter 2 using some sort of validaton step before a vote is counted)
The only way you can be certain a referred party does not reuse a referral code is for the original user to send different one-time-use-only referral URLs to each person. Once the code has been used, it is flagged as such in (or removed entirely from) your database so that it can not be used again.
How you prevent the original user from sending multiple links out to the same person is another matter - and not an easy one to resolve.
Who do you perceive to be the threat?
Although it's certainly not 100% accurate, you can still fingerprint visitors using for example a combination of their ip, browser user agent, and with some javascript you can even go for screen size or installed fonts. Using these pieces of information you can set up a system where you save the fingerprints in datatable and in the same record you store the session id (from the cookie). Now when a new visitor arrives you can test their fingerprint against the db of recent fingerprints with different visitor ids. If you find a large number of matching fingerprints (you define the threshold) with different sessions then you can alert for the possibility of fraud.
Cheers
How about storing the link with with the user when they navigate to the link. then in the database you will have the link and if the users has already been to the link then deny them. Seems like it could work then you wouldn't have to worry about the cookies etc...
Is it possible for php(or javascript in the worst case) to create a unique id for a user that is not cookie or ip dependant. I have seen on myminicity.com that on each city the count only goes up once a day(it has a unique id for everyone i think) and even if I delete my cookies and refresh ip it still seems to detect me as visited already and I want to make this system for me. I have seen lots of people saying its not possible and if it really isn't, whats the best alternative?
EDIT
Now i got the idea that I could use a mix of multiple cookies(with multiple methods of identification), multiple localstorage values(same as the cookies), mysql database ip tracking and flash cookies and if any one of them is found, the user has visited before today.
There are several information a user agent sends to the server. See for example Panopticlick to see how unique your browser is. Another option would be to use Flash cookies that are harder to reject and delete.
You could generate a GUID per computer, assuming that you can figure out some way to store it such that the user can't delete it (good luck).
Most sites that do things like this store the IP address in a database on the server and identify "users" that way. Using javascript you can combine IP address and MAC address to allow for multiple people behind a NAT gateway.
myminicity.com uses your IP range to detect which region you are coming in from... It is called IP base geolocation. There are free and paid services for this. Google "IP based geolocation" ... You can learn more about it at http://en.wikipedia.org/wiki/Geolocation_software
Some of the $_SERVER variables can be used to generate a computer ID. For example:
$id = $_SERVER['HTTP_USER_AGENT'].$_SERVER['LOCAL_ADDR'].$_SERVER['LOCAL_PORT'].$_SERVER['REMOTE_ADDR'];
The values of $_SERVER can be faked, however it will still add an extra layer of security that does not rely on cookies or your IP address.
How do I prevent a user from logging in from 2 locations at the same time? A username and password can only be used by 1 person at the same time.
Please send me the code in PHP.
if (!$user->hasOpenSession()) {
$user->login();
} else {
$context->forwardToForbidden();
}
Update the users table on login with the the ip address and login time. Clear the ip on session timeout or if the user logs out. Check this ip address upon login to make sure its matches up. Only check $_SERVER['remote_addr'], you don't want to look at x-forwareded-for because that could be anything.
Keep a field in the database that keeps track of active sessions. We can give you other pointers, but without more effort and information on your part, it's impossible to provide code.
The problem with restrictions based on the IP address with which the user logged on is that, in some cases, it could be the same legitimate user from the same machine/browser but with distinct IP addresses.
One case (quite rare I suppose) could be a pool of HTTP proxies that would use distinct IP addresses to make requests to your server (even though the actual user/browser/machine is the same). Another case, which I think we might see more and more, is the case of mobile devices: a mobile device could potentially travel and re-associate with difference access points and networks, therefore jumping from one IP address to another. In this case, you'd have to force your user to log-on again every time. I'm not sure how big this problem is at the moment, but that could be possible for people travelling on trains or similar (depending on how they access their network).
I think a better solution could consist of destroying any other sessions/authentication cookies you have for that user whenever they log on or log out (and perhaps implementing a time-out if they forget to log out).