0

I am on creating a system, I am trying to ensure that user cannot register more than once even he uses different email-addresses or he changes its ip, so what strategies should i use ? can I do it with cookies ?

Muaz Usmani
  • 1,298
  • 6
  • 26
  • 48

3 Answers3

2

There is nothing you can do to prevent users from registering them multiple times.

User could have:

  • Dynamic IP

  • Clear cookies

  • Clone MAC address

  • Use a different email account

  • No sane user would purchase additional hardware like biometric authentication

  • User could have multiple credit cards, and addresses

The best case, if to forbid the use of multiple accounts, in the TOS/AUP, and delete/ban those accounts.

Bill
  • 3,059
  • 3
  • 31
  • 47
  • 1
    Device fingerprinting will give you a *really* good idea who might have multiple accounts, though it's not 100% accurate. It would certainly tell you who to look for as a possible cheater or whatever. – Eric J. Jul 29 '12 at 02:28
  • @Bill lol, I think you may have mistaken Eric J's suggested [browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint) for actual physical [electronic fingerprint sensors](https://en.wikipedia.org/wiki/Fingerprint_authentication#Fingerprint_sensors). – wehal3001 Jul 29 '12 at 09:38
  • OH boy did I derp up bad. I was thinking about biometrics, because we use them at work. But the blub from the wiki text "A separate issue is that a single device may have multiple web clients installed, or even multiple virtual operating systems. As each distinct client and OS has distinct internal parameters, one may change the device fingerprint by simply running a different browser on the same machine." – Bill Jul 29 '12 at 17:20
  • @EricJ. well I tried this [api](http://www.wolf-software.com/downloads/jquery-plugins/web-browser-fingerprint/) and run on two different browsers it gave me two different hashes and details, but I was supposing that it would b same. – Muaz Usmani Jul 30 '12 at 00:27
  • Also, one could disable/block js. – Bill Jul 30 '12 at 01:31
  • @MuhammadMaaz: If you run on two browsers on the same machine, you might well get different hashes depending on how good the fingerprinting algorithm is. The better (commercial) ones will recognize things like the IP and User Agent being the same, within a relatively short window of time, and make a probabilistic guess as to whether it's actually the same device or not (impossible to do for an AOL user in Incognito mode, but surprisingly easy to guess correctly for the vast majority of devices). Lesser solutions may just not try and do that matchup. – Eric J. Jul 30 '12 at 22:33
  • @Bill: Some of the commercial solutions will actually do pretty well even if JavaScript is disabled. Omniture only uses the IP address and user agent, period, and still produces useful if only somewhat accurate results. Some of the better browser fingerprinting vendors incorporate other non-JavaScript factors to improve on accuracy even if JS is turned off. – Eric J. Jul 30 '12 at 22:35
  • @Bill Cant i have any better solution, I meant which is free and give better solution. which atleast identify the machine uniquely. – Muaz Usmani Jul 30 '12 at 23:46
  • @EricJ. The only thing I can think of without js, is to examine the headers. – Bill Jul 31 '12 at 02:06
  • @MuhammadMaaz To achieve what you want will be hard, if not impossible. I would suggest you look at the solutions/scripts provided above. One thing you could do is log IP addresses, and then use deduction to determine if someone is using the same account. But again, that is not fool proof. (As some ISP uses the same IP adress for a block of users.) – Bill Jul 31 '12 at 02:08
  • @Bill: The methods I'm familiar with are proprietary. But, there is more that one can do if you work under the assumption that you'll never be right in all cases, but there's commercial benefit to being right most of the time. – Eric J. Aug 01 '12 at 00:05
1

A user trying to get around a cookie based system will just clear his cookies (or not accept them in the first place). Real life example The New York Times tried to restrict people to 20 articles a month by setting a cookie. While that stopped some people from reading more than 20 articles, many figured out they could just delete their cookies and get 20 more articles (or use a different browser).

You also can't use IP address. Sometimes users will get a new IP address frequently. Other times, a single IP address may represent many different users (if they are behind a proxy server).

The closest you can come to satisfying your requirement is to use device fingerprinting. Device Fingerprinting works by considering a wide variety of factors (the IP address, user agent, fonts installed in the browser, plugins installed in the browser, etc.). Check out

https://panopticlick.eff.org/

to get an idea of how it works.

There are several companies that offer that technology. Google "device fingerprinting" to get a current list. It's also not incredibly hard to roll your own basic device fingerprinting based on what you see at Panopticlick if your requirements are to get a solid idea of who might have multiple accounts, better than cookies or IP can tell you alone. The commercial offerings invested quite a bit of Engineering effort to get from "solid idea" to "very solid idea".

Eric J.
  • 147,927
  • 63
  • 340
  • 553
1

You need to tie the user's registration to something that can't be copied or forged. Here are some ideas:

  1. Some companies have done this with mobile phone numbers, under the theory that most people have one phone but not two or three, or, at least, it's hard for people to trivially get a new number. So make people give you a phone number, send them an SMS message with a code, and then permanently bind that phone number to their account.

  2. You can try using processor IDs or Ethernet addresses. You'll need to have some software that reads the ID (typically in assembly language) and gets you the results back. Of course, people can hack your software, or register from multiple machines, but this will work well in some cases.

  3. Force people to pay for their accounts. People typically won't want to get many of them.

  4. Give up. Design your system so that it's okay if people register multiple times.

Good luck.

vy32
  • 28,461
  • 37
  • 122
  • 246