This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to track real unique user?

 
Bruce Jin
Ranch Hand
Posts: 672
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can think of a few ways but none of them is 100% reliable.

1. Use http session. This will not work since user can close and reopen browser window.
2. Use IP. This will not work since IP can change for the same user. For example, disconnect/reconnect one�s cable modem may cause the user to have a new IP assigned by his/her server.
3. Use cookie. This will not work since the user can clear cookies.

Any suggestions?

Thanks.
 
Steven Bell
Ranch Hand
Posts: 1071
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think there is a way to this. If you could get the MAC from the computer you could track computers that way, but I don't know any way to get a clients MAC. Of course then you are only tracking the computer, you still can't be sure it's the same user.
[ May 23, 2005: Message edited by: Steven Bell ]
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bruce,

Maybe filling us in on your requirements or rather the need to "track real unique user" will help us help you find a solution.
 
Bruce Jin
Ranch Hand
Posts: 672
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The requirement is to prevent one user disguise as different users on the same computer to access server information more than allowed (download a free song for example).

Thanks.
 
Steven Bell
Ranch Hand
Posts: 1071
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I understand correctly what you want to prevent is:

I as a single person on a single computer connect to server. On this server is an action I should only be allowed to perform once. I as a malicious user want to perform this action multiple times by either setting up multiple accounts or simply visiting the site mulitiple times and not allowing cookies.

The only thing I could think that would come close is to require a valid email address for each user. Then I as a malicious user could only perform the action as many times as I have email addresses. Of course If I host an email server I could completely get around the whole thing and hit your site as many times as I want.

I'm not sure there is a way to do what you want. At least not over the web.
 
Bruce Jin
Ranch Hand
Posts: 672
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
It looks like that in http world we cannot associate a user to his/her pc/hardware and cannot uniquely identify him/her.
Let them download the songs!
cheers.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34179
340
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bruce,
As noted above there isn't a way to track unique users. You can still make it as difficult as possible to abuse your service though.

E-mails are the most reliable of the options. It is trivial to get a new session by closing the browser. On dialup, I can get a new IP just by calling in again. Also, IPs lock legit users out (users behind a proxy server share an IP and members of a family share a computer.)

Even better than providing an e-mail is forcing a response from the same e-mail address. If you run a mail server, you still have to keep creating accounts. If not, you have to keep registering for free ones. This makes it a little harder and more time consuming to get free stuff. But not prohibitive.

There is one way that is more secure: ask for a name/address/credit card number. Obviously, you have to be providing something of value to get people to give this info. But it is much harder to forge.
 
D Rog
Ranch Hand
Posts: 472
Linux Objective C Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. Why? Use permanent cookie, so closing browser won't destroy it instantly.

e-mail solution doesn't look good for me.
1. I can have no e-mails (it's true my wife doesn't, but does a lot online purchases)
2. e-mail server can be down
3. a user can forget e-mail password, forget to login in e-mail and get mailbox locked, can change ISP, e-mail provider can just disapper.
 
Steven Bell
Ranch Hand
Posts: 1071
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by D Rog:
1. Why? Use permanent cookie, so closing browser won't destroy it instantly.


Because I, as a malicious user, will simply turn off cookies and/or delete them in between visits.
 
D Rog
Ranch Hand
Posts: 472
Linux Objective C Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you do not want to be identified just go ahead. In this case nothing can help, even installing a certificate to browser and doing double SSL.

Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650.
[ May 24, 2005: Message edited by: D Rog ]
 
Steven Bell
Ranch Hand
Posts: 1071
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by D Rog:

Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650.

[ May 24, 2005: Message edited by: D Rog ]


Or go the more difficult route of turning activeX off in the browser.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic