I am willing to implement website where will be top 10 best members' pictures or something like that. Before voting for pictures or uploading pictures people will have to register first. But how could I protect my website from multiple accounts? Store IPs to database? But will it help me while there thousands proxies out there? What should I do? Thank you.
edit: maybe I could make accounts paid, for examples 0.99$ for month via paypal and somehow do no let people register twice with the same paypal and IP? Is it possible?
Use a confirmation code that is sent to mobile no upon registration. and confirm it. like google.
You can't stop it, but you can make it difficult and do things to detect it like you said with the IP's.
You can get a lot of data from user, not only IP but also browser version, sended headers in request, even resolution etc. with javascript. Rosolve IP to region etc. But it's not simple to write a system that would search all of that data for similarities.
You can also set cookies or even do a little swf object with cashed some information on user local hdd.
You can send mail confirmation... and don't allow multiple users from the same mail!
This is fast and easy to implement :)
Related
I am writing a voting plugin for my Wordpress site. I would like for a client to be able to vote without logging in. What I have done is I have used $_SERVER['REMOTE_ADDR'] to only allow each client to vote once. Since the voting also uses AJAX, the voting is quick and easy.
However, I have run into a problem with mobile devices as they don't have unique IP addresses. What solution can I use to make sure that people cannot spam the vote button (or if someone double clicks on it, that two votes are not registered etc.) on a mobile device?
This does not need to be a fool-proof method. I realize that $_SERVER['REMOTE_ADDR'] is not foolproof either (although if anyone has any fool-proof ideas that can be implemented easily, I'd love to hear those as well).
I've build two seperate browsergames and I want them to share the same login system. So that if you have one account which you use for both games. I want this because of payment reasons (if they buy something I have to pay per website so I want all payments to come from one website) and user experience (why sign up multiple times?).
But when they first sign up and login I do not want to redirect them to the centralized system because I want the sign-up/login-proccess to be as simple as possible because I'm afraid they'll lose interest.
So I was thinking about letting them sign in to the website normally and then using cURL to send the requests to the centralized website by building an API.
I am however wondering if this is a good approach because none of the websites are on the same network. I guess I'll have to build the centralized login system in such a way that it only accepts requests from the domains the games are on. But are there any other things I have to worry about? How should I send for example passwords? Because sending them plain text seems like a horrible idea so I guess I'll have to hash them on the side of the game. I guess I'll have to make a small copy of the users table for for example the username and user_id.
I don't want to use for example OpenID or Facebook Connect or something because that does mean redirecting to an external system (which is bad for user experience) and the average age off players on the website is about fourteen, so they have no clue about OpenID and I don't want to force them to connect their Facebook accounts to my websites.
Also I'm sorry if I'm unclear or writing in bad English, I'm not a native and having a hard time expressing myself the right way.
Thanks in advance!
If I were you, i'd create a API for registration system.
Website A (game1) uses that API to create accounts and verify them, same does the website B.
API would validate data, respond with errors (username taken etc), or return success messages. It should be protected (LAN access only or some authentication)
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
I am a web developer and I want to design a commercial website to sell a customer's product. Sell and buy activities are important and I need to maintain user activity information to keep the site secure.
I want to write a dynamic website. I want to control all user activity and then decide whether to save user activity information in a database. Some of site's visitors are registered users and some are anonymous. I want to save online information such as ip address, username, page name, and date/time for my registered users.
I want to know:
How do I save a user's IP address?
What more do I need to save?
Saving each HTTP request details into database will work for low traffic web sites, but you will have performance issues in case of popular website, since writing to database in relatively slow operation.
Why not to use server HTTP logs instead?
All HTTP web servers create plain text log files which record remote user IP address, URL requested, etc. You can create activity report by writing your own script or using log file report tools. AWStats ( http://awstats.sourceforge.net/ ) is one of the most popular open-source tools for this.
On client side you can use Google Analytics to track user activity. It also provides means to track custom events:
_gaq.push(['_trackEvent', 'login', 'user_login', "custom data"]);
More info at: http://code.google.com/apis/analytics/docs/tracking/asyncUsageGuide.html
This option only tracks users with JavaScript enabled, so it won't show bots, crawlers or users having analytics blocking addons installed.
I'm not sure I understand all of your question...but to address at least one aspect of it, if the user is behind a proxy, then you have no way of determining what their real IP is. That's the whole point. The proxy is the one making the request and then forwarding it. Without asking the proxy yourself, you cannot determine that. With regards to what else you need to save, it depends entirely on what you want to do and you haven't done a good job of explaining why you are saving this data. If you can clarify that, perhaps we can help you a bit more in determining what data you should be saving.
Edit To address your clarification, if you wanted to be crazy, you could log everything that a person does. Every link they click, every product they view, etc. I don't necessarily advocate that as I find it a bit creepy, but there are definitely sites that do it. At the bare minimum, I would suggest logging what products people look at and then what products they buy. I would also log that information on a per-session basis. Basically, what products do people look at and then end up buying on the same trip to your store. I wouldn't worry too much about the "real" IP address. Most people won't be behind a proxy and those that are, you can't do anything about anyway.
How do I save a user's IP address?
$_SERVER['REMOTE_ADDR']
What more do I need to save?
That's quite strange question. It's your application, not someone's else. How can we guess what information you need?
However, at least one issue I can point out: a page name is not sufficient to log "all user activity". Query string and POST data usually contains important details on that activity.
Huh, after some searches on the net on how to retrieve user email address, the short answer is - there is no way.
But, is there really no way of fetching user email? A hacky one or something?
It's not meant for spamming or stuff like that, but, my application local user storage uses email as it's core ID, and I have to compare if that particular twitter account is already registered in database or not. I'm using this technique for facebook authentication and it works flawlessly, but client demands twitter login too, but I have no idea how could I compare it without looking at emails.
P.S. I hope I've made myself clear enough, if not, don't hesitate to ask, this is actually pretty important at the moment.
Thanks in advance!
There is absolutely no way at all. It is not in the API, it is not on any pages to be scraped. The email appears nowhere on Twitter and cannot be obtained from Twitter.
We can create twtter account with out email, so in api's twitter will not provide the email of its users, as a user is not necessarily a human.
to get the friends list please use api :
https://dev.twitter.com/rest/reference/get/friends/list