Uniquely ID a user?

miketpowell

miketpowell

New member
Feb 20, 2009
755
26
0
Las Vegas
So I need to find the best way to do this:

User A comes to my site directly. I can drop a cookie, check IP whatever I could normally do once they are on the site.

User A comes back to the site either:

A . normally on the same computer they were before.

B . through a proxy on the same computer they were before.

What are some good ways to do this?

I was thinking just drop a cookie with there current IP and make sure that matches there IP when they come back. But that cuts things down to just users with static IPs. Is there a better way to make sure they aren't coming through a proxy that doesn't rely on IP?
 


Are you trying to stop the guy coming back through a proxy? If so then yes you can just record the IP in the cookie & kick the user out if their IP differs later on. If you're just trying to uniquely identify users you could put a unique number in the cookie & check it when they come back next time.
 
miketpowell said:
So I need to find the best way to do this:

User A comes to my site directly. I can drop a cookie, check IP whatever I could normally do once they are on the site.

User A comes back to the site either:

A . normally on the same computer they were before.

B . through a proxy on the same computer they were before.

What are some good ways to do this?

I was thinking just drop a cookie with there current IP and make sure that matches there IP when they come back. But that cuts things down to just users with static IPs. Is there a better way to make sure they aren't coming through a proxy that doesn't rely on IP?
Click to expand...

I wouldn't put the IP in the cookie since it can be modified. I would have backend tracking for the IP based on a unique value in the cookie. It's more work but it can't be manipulated as easily.

I would also drop a flash cookie as well, since they can be read no matter what browser is used. That and few people delete them.

There are lists that can be used to check if they are using public proxies. TOR has a list that can be downloaded periodically and you can check against that. There is also IP2Proxy™ IP-Country Database [PX1] but I haven't used it, so I don't know how good it is.

EDIT: just thinking a bit more about it, the IP is going to cause you more problems then it's worth, but you already know that, hence your question :)
 
Pleb said:
Are you trying to stop the guy coming back through a proxy?
Click to expand...

Exactly, but I also don't want to kick off users that have dynamic IPs if possible.

acidie said:
I wouldn't put the IP in the cookie since it can be modified. I would have backend tracking for the IP based on a unique value in the cookie. It's more work but it can't be manipulated as easily.

I would also drop a flash cookie as well, since they can be read no matter what browser is used. That and few people delete them.

There are lists that can be used to check if they are using public proxies. TOR has a list that can be downloaded periodically and you can check against that. There is also IP2Proxy™ IP-Country Database [PX1] but I haven't used it, so I don't know how good it is.

EDIT: just thinking a bit more about it, the IP is going to cause you more problems then it's worth, but you already know that, hence your question :)
Click to expand...

Yeah I agree a server side solution would be much better and more secure - but right now I'm trying to make something that is "kind of secure" with just client side code so I can throw it up on a CDN and not worry about volume.

Exactly with the amount of dynamic IPs out there this could prove to falsely ID lots of people as using proxies when they aren't - so I was just wondering if there was any other possible way. I've been looking into HTTP_ACCEPT Headers and User Agents - but I'm not even entirely sure what those are at this point in my research lol.
 
The best way to do this is a combination as suggested.

Sprinkle some salt in the cookie ( not literally ) and use the salt as a unique ID which must match your internal salt ID. Then log every single IP they visit from and check each one.

Have a dynamic web service or a updated proxy IP list in your db and check the IP against that. You are not going to cut it down completely, for example people with VPN are very hard to catch and you don't want to ban hammer someone because they decided to take their laptop to McDicks for a coffee.
 
You must log in or register to reply here.
Top Bottom