I would like to make a voting system for my site. I need to check whether a user has voted already. Do I need to store the IP of the user or do I need to store a cookie in the users computer, then make validation if the IP is already used for voting or a cookie is already stored to the user's computer.
Neither of those will give you a flawless script because the user can still clear the cookies or browser a proxy to revote. However I would use both cookies and ip-adress in case the user have a dynamic ip adress or clearing the cookies.
I would suggest do both, as an IP can change and a cookie can be deleted.
Also if you want more accuracy, you can use Flash's LocalSharedObjects also known as FlashCookies to store whether a person has already voted or not. Much less people could/would delete these on regular basis.
i think the best way is have a user registration system to store user information like polling and etc.then you can easily check that user voted already or no ? this way is more secure than others.but for other option that you can consider,you can store user's mac adress.the mac adress is better that ip and cookie.but storing all information help you to have a good vote system.
Related
I am creating a simple module of like/dislike. My site has no login system, which means the visitors are not the logged in members..
How can I log their LIKES/DISLIKES, so they can not repeat the same action again and again for same post?
Can i log their unique IP or mac address..
any help?
IP/MAC is not perfect as it will identify different users in the same household as one.
Cookie is not perfect as they can easily be cleared (or the user can just use a private/incognito mode)
The best solution I've found - yet still not perfect - to identify users without a login is to use a long lived cookie/session as well as storing session ID, IP and User Agent along with the like/dislike ID to enforce any rule you would like to set.
From this answer, evercookie is also an option to explore.
In PHP you can use
$_SERVER['REMOTE_ADDR'];
to log their IP address, you can also create a session in their browser in case of IP change where the users IP is not static
Use cookies. Check for cookie before voting and set cookie after voting. It's not perfect either, because user can delete cookies, but if you want to be 100% sure then you must have registered users.
I have been considering the problems arising with user authentication, using sessions/cookies and the security risks that come up with session hijacking. I understand that using a secure https:// is the most effective method, as well as regenerate_session_id() and using a random string for validation (amongst numerous additional procedures).
My question is this: is there a possibility to incorporate a method that forgoes sessions and cookies, and uses just database held variables?
Here is how I would set it up:
-Have a column in the user table that can hold an IP address, and one that would be a Boolean.
-When the user 'logs in', set the current IP address of the user into the database, and sets the Boolean value to false (if the user doesn't want to be 'remembered') or true (if they do).
-On page load, it checks the current IP address with the one stored in the user database. If it matches, the user is considered valid.
-On window close, the script would then clear those values and the user would be 'logged out'.
-If the user wanted to 'stay logged in' (which I know is a huge security risk) then a toggle (the Boolean value) would simply deactivate the log out script and the IP address would stay stored for the user.
What would be the fallbacks to such a method? Is it even possible?
IP addresses are simply not an accurate and reliable way to uniquely identify a user. The IP may change during the session, and more than one user agent may be using the same outbound IP.
Sorry :-)
I saw this kind of IP check on a system recently, and it was causing numerous problems with users being randomly disconnected all the time (whenever their dynamic IP changes). Just don't do that, IPs can changes so you cannot rely on them.
Most likely, you should take a look at existing authentication methods and try to implement that. Keep it simple.
The existing answers saying "dynamic IP is an issue" are absolutely correct. Consider a mobile device connected via 3g. each time the user walks into range of a new tower their IP changes...
I am currently creating a website that allows anonymous users to input data (or comments) into a database and allows other anonymous users to the site to vote up or down the comments presented on the site.
I have already created the functionality to allow a user to create a comment and allow another user to vote on the comment. The problem I'm having though is thinking how I can limit each visitor to the site to only vote on each comment once.
My idea was to create a session ID when the user votes and then when they try and vote again to try and compare if a session ID already exists. This would work but only until the session is destroyed. Does anyone have any other ideas of how this could be achieved?
I am assuming I might be able to use some of the $_SERVER options available
Thanks in advance
Just restrict the voting with IP's or either Cookies, i also created 3 websites in which i had to take the public voting, earlier i did it with IP's but then i changed back to cookies, i also saved IP's along with setting cookies to check if the users are deleting cookies again and again to vote, but i never had such problem, so my opinion in just go with cookies, because not everyone can find that we are doing it with cookies.
It's impossible to enforce a one-vote policy on an anonymous user system. Like said in a comment above:
Trying to control "Anonymous" is nearly impossible. IP's are shared,
sessions are temporary, cookies can be deleted
You can't identify your clients at 100%, if a user would want, he will be able to bypass whatever means you attempt to use and vote more than once.
Your only reliable option is to enforce registration and only allow registered users to vote.
If you still insist, you can try to make it difficult for users to bypass your enforcing system. Use a combination of the user's IP address, and a lasting cookie, and cross-validate against both to ensure the user doesn't vote twice. But again, do note that a user can easily delete cookies and on most cases, change his IP address.
When you are inserting comments for specific article, store the member (who is commenting) id or name or any thing unique. Put the verification code before inserting the comments ....
Select * from articles where member_commented_id = [current_member_id_from_querystring) and article_id = member_commented_on_article_id
//a check point
if result is > 0 .. its mean member already has commented on this article
//otherwise
add comments on article and insert member id as well for checking
// if you are using seperate table for comments then you have to make additional field in table like
comment_id, comment, com_date, member_id_who_commented, article_id_on_which_commented
Making IP or Cookies check point is not reliable because IPs are changed by the ISP (if set to dynamic IP) and Cookies can be cleared by visitor
Hope this helps you
On Monday, I thought I had solved the session hijacking security issue by setting the session as the user IP, until I logged in. I had two users with the same IP (myself and a test user) and it kept switching between the two. Is there a way to prevent this and allow two users with the same IP register on my site?
Thanks in advance,
Terry.
You may have been reading advice about storing the user's IP in a table along with the session id (not in place of). You'd then check to make sure they're coming from the same IP on subsequent requests, otherwise, force them to login again. This method has problems as well a user's ip can change as often as every ten minutes depending on their ISP!
Use the session id provided by PHP as it's unique and difficult to guess. Require it to be read from a cookie and never from the URL.
SSL the entire site if it is a concern and apply a short cookie time out. The ssl will encrypt the cookie and transmission so it can not be sniffed off the wire. A short time to live will make the cookie useless soon after it has been taken from the "logged in" computer if they have direct access to the system. So in short get a security cert and go on as normal with a normal php session.
I take it you're looking for the user's information in the MySQL database, using their IP? That is wrong. The only way to be truely unique is with a primary key field.
Either store the primary key as the session and pull their data, or store relevant information in the session and only pull anything else when it is needed.
What is the best way for storing users IDs or usernames so they will not have to login every time?
I want to forward user to the members page if the stored ID or username is compared with the one stored in database.
Is is safe to do it using cookies and how can I do that?
Don't store their username or password in a cookie. Always assume that everyone on the internet can see every cookie on a person's computer. What you should do instead is save the session_id and the IP address they accessed from to your MySQL table, then save the session_id to a cookie. Most browsers will clear session variables when you close the window, but they will not clear cookies. Therefore you first check the session (are they currently logged in), and if they're not logged in then you check the cookie (were the logged in before, and more importantly- was it from this IP address?)
Of course if they have a session_id but they're not at the proper IP address, make them log in. They could just have an ISP with dynamic IPs, or they could have been listening to network traffic and they're trying to get into the admin user without a password.
This feature should be optional to let people log in from internet-cafe and such, not leaving their data open to everyone.
Yes. a cookie is the only possible way to mark a browser.
You have to store some uniqie and unpredictable value there. Generate some hash out of user's data, store it in the database along with other user data and set it as a cookie
The safest way is to require a valid SSL certificate from the browser, and validate the user-agents certificate server sided. However, in any browser I've seen installing such certificates is a big enough pain & hurdle for users that it's probably not suited for a public website. It can however sometimes be seen in intranets.
I just wrote this solution for anyone else who is interested.
http://rabbie.id.au/my-elegant-remember-me-solution-using-php-mysql-and-cookies/
With my sites, I use a custom written Session class. This stores a sess_id and sess_hash in a cookie, which is unique for the current user. An IP address is also stored in the database, and checked against the current IP to verify it is the same computer, but that is not the main authentication mechanism. Data is then stored, serialised and base64'd in the database. I would advise against using PHP Sessions, because they can be accessed by any user with the ID. Someone posting a link to something with the PHPSESSID in it, can, for example, let them log into their account.