Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
Related
I have to make a Website where users can vote only once. I tried to register them in my db using their IP address with $_SERVER['REMOTE_ADDR'] but i did some research and found out that in some cases multiple users can have the same IP (using the same wifi or the IPS sharing IP's between them). Also, i don't want them to make an account to be able to vote, or log in with facebook, google, etc...
Is there any way to do this with PHP?
Just have a quick glance at https://github.com/samyk/evercookie. Your search will end there.
You can store to DB a fingerprint and then compare it like you did before with an IP address
https://github.com/Valve/fingerprintjs
or u can make your own fingerprint by storing user's device, it width,height,timezone,etc
But it'll fail if someone will vote with other device.
I think it must works like an Antifraud systems, but they're based on the same way I wrote.
I am writing a voting plugin for my Wordpress site. I would like for a client to be able to vote without logging in. What I have done is I have used $_SERVER['REMOTE_ADDR'] to only allow each client to vote once. Since the voting also uses AJAX, the voting is quick and easy.
However, I have run into a problem with mobile devices as they don't have unique IP addresses. What solution can I use to make sure that people cannot spam the vote button (or if someone double clicks on it, that two votes are not registered etc.) on a mobile device?
This does not need to be a fool-proof method. I realize that $_SERVER['REMOTE_ADDR'] is not foolproof either (although if anyone has any fool-proof ideas that can be implemented easily, I'd love to hear those as well).
I want to implement a referral program for my SaaS product.
The partner will have a link on their website that will direct their user to my signup form:
domain.com/referral/201030
"201030" being the member id from the partner site.
I want to make sure the page request came from my partner site,
I know I could check $_SERVER['HTTP_REFERER'] but that is not secure.
Is there a way I can check the IP address of the site referring the user to my webpage with PHP?
When do you need high security?
For an API for example, you want to track the incoming traffic and make sure only authenticated clients can access the API. This needs higher security standards and exchange of public keys and secrets.
When not?
A referral program doesn't need this kind of security.
The more traffic you have, the better for you. You don't care where the lead is coming from. When I send my partner program link to someone via messenger, there is not even a HTTP_REFERER.
Is it even possible?
It is very difficult impossible to make sure where the user is coming from without serverside interaction, obfuscation and dynamic links.
Any chance?
The only way, using a static link, is $_SERVER['HTTP_REFERER']. You can downvote the answer now, but it doesn't change the fact that there is no way, with a simple, non-dynamic link like shown in the question.
Turn the referer into an IP
To turn the HTTP_REFERER into an IP:
$urlParts = parse_url($_SERVER['HTTP_REFERER']);
$ip = gethostbyname($urlParts['host']);
Keep in mind, this is not reliable nor secure in any way.
For a project I am working on, I think having the functionality to sign in with facebook/ twitter would be beneficial.
I have some design theory to iron out.
When the user first logs into the website using either twitter or facebook, I'll get their email and other relevant information and store it in the database where a normal signed up user would be stored.
When they return, they would log in with twitter/ fb again and it would locate the information in the database and not add it again.
If anyone tried to sign up with the email address provided by either of these services, an email would be sent to the email address to confirm it is them and then they could generate just a password to allow them to log in with information already stored.
I could they link other data on the website to the userid I have stored for them throughout the entire process.
So my query would be whether this is the correct way to go about this?
How have others used these types of login api's and then binded them to on site data?
I believe this to be a reasonable question but if I have placed it in the wrong section, please feel free to move it!
Thanks.
well, everything should be written here http://developers.facebook.com/ also try using php sdk for facebook api, for twitter here https://dev.twitter.com/
Create an app in both fb and twitter, take the access token and access token secret
You should download all the files necessary and then configure them as is written in manual, if you will have trouble connecting to them write me a message to my mail(jurijs.nesterovs#inbox.lv) i'll try to help
Have done that before myself for my site. It was Fb/Twitter/Google. I bet thats the best thing to do. Google's API is the easiest out of these 3. Twitter was hard for me since I dont use OOP and all the libraries out there was OOP.
And about your design, my site was made not to not allow the user to join with the same email again. If they have joined using Facebook with an email, when they try to join using twitter with the same email, I would tell the user that they are already registered using Facebook.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Unique IPs in a voting system
I am developing a small web app where it needs an online voting system using php for my college event. I was obtaining IP Address and storing it in database to prevent repeated voting from same user. But then I remembered that my college uses a proxy server so obtaining IP address is useless.
I tried accessing and storing Mac Address of the client using javascript.. I tried out a few examples that i found on the internet.. but none of them worked.
Can you guys suggest me an alternative to how can I get the results I want??
Any sort of help would be heartily appreciated.
Regards,
Aayush Shrestha
Nepal
Have them enter their email addresses and send a link to their email that allows them to vote. The link should include some hash of their email and you would have to check if they have already voted or not.
I realize that a student could enter multiple email addresses and vote multiple times, but how many emails does a student really have? And how much time would they spend doing something like that?
I'm guessing you don't have access to any sort of authentication system through your college, so this is probably the best way.
Edit:
Another idea is to use Facebook authentication (see: http://developers.facebook.com/docs/authentication/). The downside is that you have to assume that all voters have facebook accounts.
First get the user to register an email address so they can use the voting system subsequently associated with that address.
Once you have an email address (that is validated with a activation link sent to that email), then you can gather voting related input from the user.
There is really no effective, platform-independent way of preventing repeated voting unless you enforce user certificates, etc.
The only 100% airtight way to do this would be to make users create accounts that require some personally unique information to prevent a user from making multiple accounts.
The closest you can come without a login system is the Evercookie library, which stores a UUID in about a dozen different places in the user's browser. It's very difficult to clear them all out (even using a privacy mode in the browser), so if you give an Evercookie to a user when they vote, you can probably spot someone who has voted before.
Note that this stops repeat voting on the machine level, not the user level (a machine may haave multiple users, and a user may have multiple machines, which might enable repeat voters or block eligible voters).