I have some ideas about it but very basic and not complete. I wonder what is the best way to check if same PC/IP is logged with two different users and runs two instances of my website?
If two users have the same IP, they are either
on the same computer
in the same household, office or company with a shared internet connection
in the same Internet café
this is as far as you can get. Reliably detecting whether two sessions are on the same computer is close to impossible, as there is no metric that could help you tell.
If you want to battle fraud, you will need to use different methods.
First, let the server send a unique token (e.g. csrf token) when the page loads and each time the user interacts. Then, let each user interaction (post or request) include this token (and generate a new one).
When you get unexpected tokens from the same IP adress, you apply a second trick: add the mousevent timestamps to the request and log (to the millisecond) the time differences (henceforth dt) between the local server time and the timestamp that came with the token, with a certain error margin for the variation in delaytime.
In the case two instances are running on the same PC, dt will be equal for both unique tokens (that were generated during the most recent interaction or pageloading).
On another physical computer, the chance that the dt is the same (even within the error margin) as on another pc on the same IP adress is extremely small, so that you have a valid way of testing.
you can check the ip-address, user-agent, time-zone, activated plugins...
To avoid more than one users logged in from the same computer you can set cookies or transmit a session key on every link. (you have to combine the hash with the ip-address an user-information you get because of copying the link should not log in other users into the account the hash belongs to)
Related
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
I'm making a survey site and I'm trying my hardest to avoid user logins - I want people who answer my surveys to be anonymous members of my university, who open a link and answer the questions directly. So I'm tracking questions/surveys finished by the user through session variables
But what I don't want is one user submitting tens of questions/surveys by clearing cookies and thus effectively resetting his/her sessions. Anyone know how to deal with this?
(If anyone thinks of other ways by which people can make multiple submissions, let me know that too! I'm also looking at articles to prevent same users using different browsers)
Never trust the user. Ever.
You have a few options. All have pros/cons
By IP address - limit responses to 1 IP address per computer. This suffers from dynamics IP address problems as well as only response is allowed per computer that holds its IP for long periods
Send single use response token - Send every respondent a unique link. Each link contains a single-use token that may be redeemed to take one survey.
Collect their email address - Redact this information in the results. I'm not sure of your setup, but I thought I'd mention this in case you're just the data middle-man
I'm currently working on my Referral System, but I have a problem with protecting it of frauds.
Okay, here's how it works for now:
user registers and activate it's account
user now have access to the control panel and there is it's uniqe link in following format: domain.tld/ref/12345
when someone other click to user's link, he or she must to click a specific button to confirm that is not some kind of fraud (like "click here, you'll get $100" or something)
system writes visitor's IP in a database and some data to cookies to prevent re-pressing the button. User now have +1 point.
But, the problem is that visitor can change it's IP, clear cookies and hit button again. It takes a few seconds, and that's not OK, that's cheating.
How to prevent it? Is there some trick to get some unique computer ID or something can't be changed that easy?
Really the only options are to tie the process to something which is not so easily manipulated by the user - super cookies, browser fingerprints, OpenID, Email addresses and telephome numbers (the latter 2 using some sort of validaton step before a vote is counted)
The only way you can be certain a referred party does not reuse a referral code is for the original user to send different one-time-use-only referral URLs to each person. Once the code has been used, it is flagged as such in (or removed entirely from) your database so that it can not be used again.
How you prevent the original user from sending multiple links out to the same person is another matter - and not an easy one to resolve.
Who do you perceive to be the threat?
Although it's certainly not 100% accurate, you can still fingerprint visitors using for example a combination of their ip, browser user agent, and with some javascript you can even go for screen size or installed fonts. Using these pieces of information you can set up a system where you save the fingerprints in datatable and in the same record you store the session id (from the cookie). Now when a new visitor arrives you can test their fingerprint against the db of recent fingerprints with different visitor ids. If you find a large number of matching fingerprints (you define the threshold) with different sessions then you can alert for the possibility of fraud.
Cheers
How about storing the link with with the user when they navigate to the link. then in the database you will have the link and if the users has already been to the link then deny them. Seems like it could work then you wouldn't have to worry about the cookies etc...
I am trying to figure out a way to stop account sharing on a site that requires a login. To solve this I would want to base it on an individuals machine or ip. I know I could base this on a cookies, which could possible be deleted or an ip which could possibly be dynamic. Is there something that I am not thinking of? As of now I am thinking I would have to base it on a cookie that can only be rewritten so often with an ip.
Is this the only way to handle it or can someone point me in the right direction.
I would spend time looking into a system detecting account sharing instead of preventing. Not only do you not harm your average user logging in on a few locations, but it's also less time consuming and let's you be able to take more accurate action.
You can use your login / visit log for detection. More then one login in 5 minutes with distinct ip(s), the ip(s) used to login are from broad ISP's etc. etc.
Well, don't hobble your site without considering the consequences. The same person could be logging in from work, school, ips can change because of dynamic addressing, etc...
You could force each id to be logged in from a unique location (e.g. record each login in a table where certain fields comprise a unique key, and look for insertion exceptions). A login from a new location while the old location has been recently active could be set either to (a) fail at the new location, or (b) cause a failure at the old location, (c) inform the alternate location, (d) log somewhere. Also, providing a table of where you've logged in from, shown to the user in fine print, together with a blurb on the policy might aid in compliance among "honest" people.
How do I prevent a user from logging in from 2 locations at the same time? A username and password can only be used by 1 person at the same time.
Please send me the code in PHP.
if (!$user->hasOpenSession()) {
$user->login();
} else {
$context->forwardToForbidden();
}
Update the users table on login with the the ip address and login time. Clear the ip on session timeout or if the user logs out. Check this ip address upon login to make sure its matches up. Only check $_SERVER['remote_addr'], you don't want to look at x-forwareded-for because that could be anything.
Keep a field in the database that keeps track of active sessions. We can give you other pointers, but without more effort and information on your part, it's impossible to provide code.
The problem with restrictions based on the IP address with which the user logged on is that, in some cases, it could be the same legitimate user from the same machine/browser but with distinct IP addresses.
One case (quite rare I suppose) could be a pool of HTTP proxies that would use distinct IP addresses to make requests to your server (even though the actual user/browser/machine is the same). Another case, which I think we might see more and more, is the case of mobile devices: a mobile device could potentially travel and re-associate with difference access points and networks, therefore jumping from one IP address to another. In this case, you'd have to force your user to log-on again every time. I'm not sure how big this problem is at the moment, but that could be possible for people travelling on trains or similar (depending on how they access their network).
I think a better solution could consist of destroying any other sessions/authentication cookies you have for that user whenever they log on or log out (and perhaps implementing a time-out if they forget to log out).