How can I get the IP of someone and then check if this specific user has already created 2 users ?
Like, if this ip: xx.xx.xxx.xx has already successfully registered 2 users then cancel his third registration.
How can I do that?
Asked
Active
Viewed 214 times
-1
-
This might help http://stackoverflow.com/questions/1634782/what-is-the-most-accurate-way-to-retrieve-a-users-correct-ip-address-in-php – JonRed Jul 05 '13 at 21:06
-
"Created two users" - what does that mean? – Oliver Charlesworth Jul 05 '13 at 21:06
-
1IP address is not the best way to limit registrations ... you have offices with hundreds of users but i public address – Baba Jul 05 '13 at 21:07
-
What about users sharing IPs, e.g. anyone behind a CGNAT gateway? (mobile users, AOL users, etc...) – Marc B Jul 05 '13 at 21:22
2 Answers
3
As the IP address usually will change every day, and the person could obtain a new IP address while reconnecting to his provider or he could use a proxy your solution will not work. Don't even try it!
Also note that multiple users can be members of a bigger network with one outer IP (like an university). You would allow only one out of them to create an account.
Your planned solution would lead to situations where valid users cannot create an account but hackers could easily circumvent the restriction and even better prevent others from creating an account. Again, don't try this!
hek2mgl
- 152,036
- 28
- 249
- 266
-
So, what do you suggest me to do? Is there a different way of doing this? – Gs Marinakic Jul 05 '13 at 21:10
-
No workarounds available. Try to create a second account on SO, you'll see.. That's anonymity in the internet, and that's great. If you are working at NSA you may find a solution, of course ;) – hek2mgl Jul 05 '13 at 21:10
-
If I make a field on my table called 'ip' and then insert the ip into the table. If the ip exists then abord the registration... hmm this way is not so secure – Gs Marinakic Jul 05 '13 at 21:13
-
This will not work. That's it. You are free to create as much accounts as you like, on any site in the internet. – hek2mgl Jul 05 '13 at 21:14
-
1Use captchas .... If the spammer is human you -as the admin- are free to delete the account manually – hek2mgl Jul 05 '13 at 21:16
0
IP Address Information
First you should be looking in these two server variables for your client IP address, the first one below is normally the most accurate and commonly used, you might also want to use the second however be aware that this can be spoofed by your clients.
$_SERVER['REMOTE_ADDR'] // Normally here
$_SERVER['HTTP_X_FORWARDED_FOR'] // Sometimes if behind proxy
Next, IP addresses regularly change for internet clients for a few reasons; dynamic IP's from ISP's broadband services, a users normal mobility on the internet, or people using evasive tactics to get past your IP limitation security (normally using a type of internet proxy service).
Because of this you will normally want to store the IP when the users signs up, and also update this list each time that they login to keep a IP history for that user.
Next when another person signs up for your service you will need to compare their IP address to that of your database contents, however you need to be careful here. There are plenty of valid reasons for a user sharing the same IP address, for example a work place or university will normally have thousands of users using a single public IP address.
Fingerprinting
Finally, something that I know a few services do is try to capture more identifiable information from the client than just the public IP address that they are using.
For example from PHP you should be able to capture information such as the User Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Other information like timezone, HTTP supported headers, flash version, system fonts etc... can be captured using a mizture of PHP, Flash and Javascript. Here is a great website that will give more information on this: http://panopticlick.eff.org
As you can see this information saved into your database can create quite an accurate and unique representation of a user's computer, a fingerprint. Even if your users change their IP address if you see the same combination of fingerprints in quick succession there is probably something dodgy going on.
Thoughts
So it really depends on your application, some you will want to just try discourage people from signing up for multiple accounts in which case simply logging the IP address on signup and comparing would do the job.
Others like Online games you want to really ensure that no person would ever be allowed to create more than one account, in which case your going to need to do host fingerprinting and have some cleaver algorithms to try score how unique a specific person is, and their likely hood of been one of your other users alter logins.
iTom
- 281
- 1
- 5