Re: ensuring singularity of users
On Tue, 2003-09-16 at 12:46, Zack Brown wrote: I'd like to implement something that tries to ensure that one user can't masquerade as multiple users. We talked quite a bit about preventing multiple logins recently. I think it was last week. Check the archives. I'm looking into Captchas Are you trying to prevent multiple people from using the same account, or one person from having multiple windows open, or anyone from using bots? My impression so far is that there's no 100% effective way to do it. That's correct, unless you have control over the client machines. You can require cookies, which will tell you if multiple users on separate browsers are sharing a login, but that's about all you can do without possibly breaking your system for someone. - Perrin
Re: ensuring singularity of users
Perrin Harkins wrote: On Tue, 2003-09-16 at 12:46, Zack Brown wrote: I'd like to implement something that tries to ensure that one user can't masquerade as multiple users. We talked quite a bit about preventing multiple logins recently. I think it was last week. Check the archives. Perhaps someone would like to summarize these and put a short tutorial on perl.apache.org? This question seems to come back pretty often. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: ensuring singularity of users
On Tue, Sep 16, 2003 at 01:55:46PM -0400, Perrin Harkins wrote: On Tue, 2003-09-16 at 12:46, Zack Brown wrote: I'd like to implement something that tries to ensure that one user can't masquerade as multiple users. We talked quite a bit about preventing multiple logins recently. I think it was last week. Check the archives. I'm looking into Captchas Are you trying to prevent multiple people from using the same account, or one person from having multiple windows open, or anyone from using bots? I want to prevent one person from having multiple accounts. My impression so far is that there's no 100% effective way to do it. That's correct, unless you have control over the client machines. You can require cookies, which will tell you if multiple users on separate browsers are sharing a login, but that's about all you can do without possibly breaking your system for someone. Someone can appear to be multiple people by disabling cookies though. I want to ensure that if person A registers to use a site, they are not able to register again using a different login, or else they are only able to register a small enough number of times that it isn't worth it for them to do so. Be well, Zack - Perrin -- Zack Brown
Re: ensuring singularity of users
On Tue, 2003-09-16 at 14:42, Zack Brown wrote: I want to prevent one person from having multiple accounts. Okay. That's correct, unless you have control over the client machines. You can require cookies, which will tell you if multiple users on separate browsers are sharing a login, but that's about all you can do without possibly breaking your system for someone. Someone can appear to be multiple people by disabling cookies though. That's why I said require cookies: you reject all requests from people who don't allow cookies, and then you use the cookies for tracking. A moderately tech-savvy user can delete your cookie and log in again under a separate account, but people who are scared of opening up prefs and messing with cookie management (or people who simply don't care enough to bother) will be stopped. If you have a fixed set of clients who are definitely not using proxies, you can use IP instead of cookies. I want to ensure that if person A registers to use a site, they are not able to register again using a different login Ask them for a credit card then. There's no other way that will really work 100% of the time. - Perrin
Re: ensuring singularity of users
On Tue, Sep 16, 2003 at 03:11:04PM -0400, Perrin Harkins wrote: On Tue, 2003-09-16 at 14:42, Zack Brown wrote: I want to prevent one person from having multiple accounts. Okay. That's correct, unless you have control over the client machines. You can require cookies, which will tell you if multiple users on separate browsers are sharing a login, but that's about all you can do without possibly breaking your system for someone. Someone can appear to be multiple people by disabling cookies though. That's why I said require cookies: you reject all requests from people who don't allow cookies, and then you use the cookies for tracking. A moderately tech-savvy user can delete your cookie and log in again under a separate account, but people who are scared of opening up prefs and messing with cookie management (or people who simply don't care enough to bother) will be stopped. If you have a fixed set of clients who are definitely not using proxies, you can use IP instead of cookies. Any simple way to defeat the system will end up not working. I'm looking for something truly secure. I want to ensure that if person A registers to use a site, they are not able to register again using a different login Ask them for a credit card then. There's no other way that will really work 100% of the time. That's what I figured. Even that won't work all the time, but it will probably limit people to one login per credit card. Unfortunately, then I have to get a merchant account, and there will always be some users who just don't like giving out credit card information. Be well, Zack - Perrin -- Zack Brown
