记录注册用户的特定IP地址

Question

How can I get the IP of someone and then check if this specific user has already created 2 users ?

Like, if this ip: xx.xx.xxx.xx has already successfully registered 2 users then cancel his third registration.

How can I do that?

Answer 1

As the IP address usually will change every day, and the person could obtain a new IP address while reconnecting to his provider or he could use a proxy your solution will not work. Don't even try it!

Also note that multiple users can be members of a bigger network with one outer IP (like an university). You would allow only one out of them to create an account.

Your planned solution would lead to situations where valid users cannot create an account but hackers could easily circumvent the restriction and even better prevent others from creating an account. Again, don't try this!

Answer 2

IP Address Information

First you should be looking in these two server variables for your client IP address, the first one below is normally the most accurate and commonly used, you might also want to use the second however be aware that this can be spoofed by your clients.

$_SERVER['REMOTE_ADDR'] // Normally here
$_SERVER['HTTP_X_FORWARDED_FOR'] // Sometimes if behind proxy

Next, IP addresses regularly change for internet clients for a few reasons; dynamic IP's from ISP's broadband services, a users normal mobility on the internet, or people using evasive tactics to get past your IP limitation security (normally using a type of internet proxy service).

Because of this you will normally want to store the IP when the users signs up, and also update this list each time that they login to keep a IP history for that user.

Next when another person signs up for your service you will need to compare their IP address to that of your database contents, however you need to be careful here. There are plenty of valid reasons for a user sharing the same IP address, for example a work place or university will normally have thousands of users using a single public IP address.

Fingerprinting

Finally, something that I know a few services do is try to capture more identifiable information from the client than just the public IP address that they are using.

For example from PHP you should be able to capture information such as the User Agent:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36

Other information like timezone, HTTP supported headers, flash version, system fonts etc... can be captured using a mizture of PHP, Flash and Javascript. Here is a great website that will give more information on this: http://panopticlick.eff.org

As you can see this information saved into your database can create quite an accurate and unique representation of a user's computer, a fingerprint. Even if your users change their IP address if you see the same combination of fingerprints in quick succession there is probably something dodgy going on.

Thoughts

So it really depends on your application, some you will want to just try discourage people from signing up for multiple accounts in which case simply logging the IP address on signup and comparing would do the job.

Others like Online games you want to really ensure that no person would ever be allowed to create more than one account, in which case your going to need to do host fingerprinting and have some cleaver algorithms to try score how unique a specific person is, and their likely hood of been one of your other users alter logins.