Re: [PHP] Identifying a user who previously created a profile
On Thu, 2005-02-24 at 04:02, Jacques wrote: How can I ensure that a user is prevented from creating a second profile after he has registered a second time with different registration details? I thought of capturing his IP Address and checking this value against my users table in my database where I have captured IP Addresses of users who have previously registered. Not a good way for several reasons: Dynamic IP addresing: NAT based firewalls. I suspect your best bet is to place a cookie. Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Identifying a user who previously created a profile
You could do a few things here. I would not banned people from signing up again if the ipaddress is in the database. You could make it so no email could be in the database more than once. What I did before was: if a user's ipaddress matches an ipaddress in the database I have the script email me to investigate, then I can decide and delete accordingly. You could do the same thing for similar email addresses, similar cities etc depending on paranoid you are about it. Using Ipaddress is a bad idea because ISP recycle ipaddresses all the time. Randy Jacques wrote: How can I ensure that a user is prevented from creating a second profile after he has registered a second time with different registration details? I thought of capturing his IP Address and checking this value against my users table in my database where I have captured IP Addresses of users who have previously registered. Jacques -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Identifying a user who previously created a profile
Jacques wrote: How can I ensure that a user is prevented from creating a second profile after he has registered a second time with different registration details? You can't. Not totally. You could send them a Cookie, and hope they're not smart enough to delete it before they re-register. You could ask them for a valid email address, and require them to get an email from you at that address before moving forward, but with free email all over, that's not much help. You can prevent wide-spread scripted abuse by requiring them to identify a random set of characters in an image, possibly semi-obscured by noise in the image background. I don't think any of the scammers have glued in a usable OCR yet to defeat that, though it may only be a matter of time... I guess part of the answer really depends on how Serious you need to be about this: Are you just trying to avoid people making the mistake of coming back a year later and re-registering without realizing they are already registered? Or are you trying to build an election system for your government? Somewhere between the two? What seems like a simple idea -- uniquely identifying the user -- is actually IMPOSSIBLE to be 100% sure, and downright difficult to even make a valiant attempt at it. I thought of capturing his IP Address and checking this value against my users table in my database where I have captured IP Addresses of users who have previously registered. Forget that. AOL users will change their IP address more often than drummers change their underwear -- sometimes mid-session. And a large corporation like IBM will have everybody in one location behind a firewall with a single IP address. IP address is absolutely useless for user identification, authenticate, or, well, much of anything really. You could maybe maybe maybe find IP address useful as one of a whole bunch of indicators in a rather complex system calculating the probability that user X is the same as user Y, using (some of): IP address Browser headers sent (only some, though, as some change over time) Cookies (can be forged) Require an email (again, easy to defeat by itself) Visual I/O [see above] (stops automated registration) Actually, you could require half of a two-way encrypted key-pair, or a digital signature, but your average user is not gonna have any clue how to do that... And that won't stop them from making two key-pairs, but at least when you get the digitally signed token, you know they are who they say they are, assuming the original didn't lose their key. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Identifying a user who previously created a profile
Hello Jacques, Thursday, February 24, 2005, 3:02:09 AM, you wrote: J I thought of capturing his IP Address and checking this value J against my users table in my database where I have captured IP J Addresses of users who have previously registered. Good luck. There isn't a way that I know of that is 100%. For instance, using the IP address could bite you because a new user might come from the same ISP as an already registered user and they ended up pulling the same IP address from the pool when they connected. It's remote, but possible. A more likely problem with this is if someone was behind a NATted firewall (corporate users) where they all have the same IP address, or people who use proxy servers. I guess, the best way is a cookie, but a user can delete their cookies (people sometimes do this to cheat on voting systems so they could place more than one vote.) You could try a combination of things. logging their IP, setting a cookie and maybe using javascript to pull some of the client machine information and log that into a DB. If say two or more criteria match then you refuse the second account creation. Of course all that would fail if they used a different machine altogether to create the second account. You can make it more difficult to create a second account, but you can't really prevent it. Even if you had a manual process in place where they had to give you a valid phone number, address and e-mail address, I could give you my cell number, my neighbor's or parents address, and any e-mail account I had created. I guess you could have them FAX you a photo ID, but still, if someone was really determined, that can be gotten around too. -- Leif (TB lists moderator and fellow end user). Using The Bat! 3.0.2.3 Rush under Windows XP 5.1 Build 2600 Service Pack 2 on a Pentium 4 2GHz with 512MB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Identifying a user who previously created a profile
How can I ensure that a user is prevented from creating a second profile after he has registered a second time with different registration details? I thought of capturing his IP Address and checking this value against my users table in my database where I have captured IP Addresses of users who have previously registered. Jacques -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php