identifying a user with two accounts
Question
I appreciate that there's never going to be a perfect answer for this, but I was wondering how far you could go, using PHP+MySQL to automatically flag/identify an individual who had two accounts on your website.
Say for example on this site, they could use one account to 'boost' the other accounts reputation - which would be a nono.
At the moment I have an IP field that is updated upon each login with their remote server IP, which is far from perfect. Are there any better solutions (aside from detailed logs and comparing trends between users' actions) that could give you a quick 'hint' at a glimpse to suggest that this might be going on by means of a more accurate IP comparison or something else?
Obviously, if the user REALLY wants to do this, they will find a way - but I want to find a reasonable solution to make it (at least) moderately difficult or frustrating for them to pull it off.
Many thanks
2 answers
solution1
0 2013-08-01 11:19:11
There are solutions with disadvantages..
In my opinion, I think there isn't an effective way to prevent users to create multiple accounts.
As you have pointed, you can store the IP's, name machines, session_id() in PHP.. and do some analytics control, but this can bring you false positives . Users who share same IP, same machine..
A possible solution is make the things difficult. Using some kind of user validations, like validate phone, validate mail, answer a long register form.. Eventualy this may have the attackers think twice about the cost of doing extra work to create multiple accounts..
The disavantatge is real users must do the same, and maybe they will not go to your site with this kind of validations.
It's hard to choose between thoose.
Another possible solution is made the register throught a 3th party app, like Facebook, Google acount. Becomes easy to filter multiple accounts and is an easy way for login to real users.
And finaly, for me, one of the most strong methods to control your community is do a achivement/reputation system like stackoverflow. It allows you to control that new users don't interfere with the system if they don't spend time working on/for the community. At my point of view, a real robust solution to manage a community.
solution2
0 2013-08-01 12:03:37
The IP-address ban method is way to easy to go around, at least as the only security method. Adding it won't hurt more then the time spent implementing it and the method sure helps a bit, but just make sure you complement it.
Since you have some kind of accounts I would suggest you to look more at the user part. What behaviors are typical for an account, that is only used for boosting another. For each of those actions log the two users and if you see a following pattern, send a warning or ban.
If it's a game or someone might want to ban another person for some reason. Make sure to find these typical actions from that receiver as well (or find connections in IP-addresses to confirm). This prevent "boosting" attacks that may result in an incorrect ban.
It's hard to give tips not knowing how the system is supposed to work and what values you have in it but I hope it gives you some new thoughts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.