I was wondering how to get the current users online and their IP address.
I know how to get a clients IP adress and I know how to use cookies and sessions for current users.
What i need is the logic to get the IP of the current user, and if the user leaves the site, it will stop tracking the users and stop getting the users IP.
Is that possible?
Have a look at print_r($_SERVER) - there's loads of info in there about the current user.
If the user leaves the site, you can't detect that immediately - but you can keep a track of the last time you saw a user in your database, and if you don't see a user for (say) 20 minutes, invalidate their cookie.
Edit: one thing you could do is have a periodic AJAX operation that says 'this user is still here' every 30 seconds or so. However this arguably puts more stress on your web server than is necessary - the earlier option I outline is probably better.
You can get ip of user using this
$ipAdrressOfUser=$_SERVER["REMOTE_ADDR"];
Related
Let me start by stating this : I absolutely do not wish to bypass the captcha.
I am using a particular website (lets call it "Swidili"), that shows a list of websites based on a theme and ordered by votes they got from the users. These votes are limited by IP adress and time (one per hour).
I wish to gift something to the users of my own website (lets call it "Badada") that vote for my website on Swidili. My issue is that I have no way of knowing if a user really voted. There is a cookie response that you get when you vote (vote=y) that lasts an hour (or until you can vote again).
Obviously, I can't read the users cookies from another domain. There is also no API made available by the owner of Swidili. I tried contacting him, but he does not seem to wish to answer me. Since it has now been a couple of months, I'm trying to find another way.
The solution that I thought of would be to show the captcha on my website, and then send with curl the result of that captcha. That way, the user is able to vote, and I can check if the vote is real by getting the cookies back from curl. Unfortunately, that does not seem to be possible, since ReCaptcha2 is limited to specified domains.
I have asked other webmasters, and they seem to have found a solution, but refuse to share it with me. I was wondering if there could be another way to get this cookie. Am I doomed ?
I'm making a survey site and I'm trying my hardest to avoid user logins - I want people who answer my surveys to be anonymous members of my university, who open a link and answer the questions directly. So I'm tracking questions/surveys finished by the user through session variables
But what I don't want is one user submitting tens of questions/surveys by clearing cookies and thus effectively resetting his/her sessions. Anyone know how to deal with this?
(If anyone thinks of other ways by which people can make multiple submissions, let me know that too! I'm also looking at articles to prevent same users using different browsers)
Never trust the user. Ever.
You have a few options. All have pros/cons
By IP address - limit responses to 1 IP address per computer. This suffers from dynamics IP address problems as well as only response is allowed per computer that holds its IP for long periods
Send single use response token - Send every respondent a unique link. Each link contains a single-use token that may be redeemed to take one survey.
Collect their email address - Redact this information in the results. I'm not sure of your setup, but I thought I'd mention this in case you're just the data middle-man
I'm currently working on my Referral System, but I have a problem with protecting it of frauds.
Okay, here's how it works for now:
user registers and activate it's account
user now have access to the control panel and there is it's uniqe link in following format: domain.tld/ref/12345
when someone other click to user's link, he or she must to click a specific button to confirm that is not some kind of fraud (like "click here, you'll get $100" or something)
system writes visitor's IP in a database and some data to cookies to prevent re-pressing the button. User now have +1 point.
But, the problem is that visitor can change it's IP, clear cookies and hit button again. It takes a few seconds, and that's not OK, that's cheating.
How to prevent it? Is there some trick to get some unique computer ID or something can't be changed that easy?
Really the only options are to tie the process to something which is not so easily manipulated by the user - super cookies, browser fingerprints, OpenID, Email addresses and telephome numbers (the latter 2 using some sort of validaton step before a vote is counted)
The only way you can be certain a referred party does not reuse a referral code is for the original user to send different one-time-use-only referral URLs to each person. Once the code has been used, it is flagged as such in (or removed entirely from) your database so that it can not be used again.
How you prevent the original user from sending multiple links out to the same person is another matter - and not an easy one to resolve.
Who do you perceive to be the threat?
Although it's certainly not 100% accurate, you can still fingerprint visitors using for example a combination of their ip, browser user agent, and with some javascript you can even go for screen size or installed fonts. Using these pieces of information you can set up a system where you save the fingerprints in datatable and in the same record you store the session id (from the cookie). Now when a new visitor arrives you can test their fingerprint against the db of recent fingerprints with different visitor ids. If you find a large number of matching fingerprints (you define the threshold) with different sessions then you can alert for the possibility of fraud.
Cheers
How about storing the link with with the user when they navigate to the link. then in the database you will have the link and if the users has already been to the link then deny them. Seems like it could work then you wouldn't have to worry about the cookies etc...
I want to set up a voting system which doesn't require people to log in, but they can vote as they want.
How do i stop people from spamming on voting (sending request to add the vote)? i know using client site scripting can easily stop it (from proper user), but what about server side (PHP). i don't want people to have that url and constantly hit it to increase the number.
Cheers
Implement reCAPTCHA - it's super easy to implement (takes maybe 10 minutes), is a good anti-spam measure, and serves a greater purpose (digitising books).
If you really want to go with cookies, have a look into evercookies. They're super-invasive, and very unethical, but hey, it's your site :)
You'll have to log their IP and/or set a cookie. The problem with cookies is the client can erase them and the problem with IP tracking is it can block more than one user if a NAT firewall is in the mix, but it will do well for the most part.
You can add a vote_tracking table:
vote_tracking
id
poll_id
session_id
When a user votes in a specific poll, you can update the row with their session id.
You will then need to implement some code to ensure you don't keep issuing queries to determine if user already voted in a poll. If you have an 'active' poll, you can do one lookup, then register a session var indicating that they have already voted, so no matter how many times the poll is rendered, you won't keep hitting the database. Obviously this will only work as long as the current session_id matches, when it differs you will have to issue the first query then reset the session var.
And I'd recommend a reaping mechanism so your table doesn't end up with a million+ rows. If you create a new 'active' poll, truncate the vote_tracking table, or archive it by renaming the table.
Also, the problem with IP tracking is that you will bork users who are behind a proxy, after the first person votes none of the others will be able to vote.
How do I prevent a user from logging in from 2 locations at the same time? A username and password can only be used by 1 person at the same time.
Please send me the code in PHP.
if (!$user->hasOpenSession()) {
$user->login();
} else {
$context->forwardToForbidden();
}
Update the users table on login with the the ip address and login time. Clear the ip on session timeout or if the user logs out. Check this ip address upon login to make sure its matches up. Only check $_SERVER['remote_addr'], you don't want to look at x-forwareded-for because that could be anything.
Keep a field in the database that keeps track of active sessions. We can give you other pointers, but without more effort and information on your part, it's impossible to provide code.
The problem with restrictions based on the IP address with which the user logged on is that, in some cases, it could be the same legitimate user from the same machine/browser but with distinct IP addresses.
One case (quite rare I suppose) could be a pool of HTTP proxies that would use distinct IP addresses to make requests to your server (even though the actual user/browser/machine is the same). Another case, which I think we might see more and more, is the case of mobile devices: a mobile device could potentially travel and re-associate with difference access points and networks, therefore jumping from one IP address to another. In this case, you'd have to force your user to log-on again every time. I'm not sure how big this problem is at the moment, but that could be possible for people travelling on trains or similar (depending on how they access their network).
I think a better solution could consist of destroying any other sessions/authentication cookies you have for that user whenever they log on or log out (and perhaps implementing a time-out if they forget to log out).