wood burning stoves 2.0*
The moose likes Servlets and the fly likes How to track real unique user? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to track real unique user?" Watch "How to track real unique user?" New topic
Author

How to track real unique user?

Bruce Jin
Ranch Hand

Joined: Sep 20, 2001
Posts: 666
I can think of a few ways but none of them is 100% reliable.

1. Use http session. This will not work since user can close and reopen browser window.
2. Use IP. This will not work since IP can change for the same user. For example, disconnect/reconnect one�s cable modem may cause the user to have a new IP assigned by his/her server.
3. Use cookie. This will not work since the user can clear cookies.

Any suggestions?

Thanks.


BJ - SCJP and SCWCD
We love Java programming. It is contagious, very cool, and lot of fun. - Peter Coad, Java Design

Crazy Bikes created by m-Power
Steven Bell
Ranch Hand

Joined: Dec 29, 2004
Posts: 1071
I don't think there is a way to this. If you could get the MAC from the computer you could track computers that way, but I don't know any way to get a clients MAC. Of course then you are only tracking the computer, you still can't be sure it's the same user.
[ May 23, 2005: Message edited by: Steven Bell ]
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15292
    
    6

Bruce,

Maybe filling us in on your requirements or rather the need to "track real unique user" will help us help you find a solution.


GenRocket - Experts at Building Test Data
Bruce Jin
Ranch Hand

Joined: Sep 20, 2001
Posts: 666
The requirement is to prevent one user disguise as different users on the same computer to access server information more than allowed (download a free song for example).

Thanks.
Steven Bell
Ranch Hand

Joined: Dec 29, 2004
Posts: 1071
If I understand correctly what you want to prevent is:

I as a single person on a single computer connect to server. On this server is an action I should only be allowed to perform once. I as a malicious user want to perform this action multiple times by either setting up multiple accounts or simply visiting the site mulitiple times and not allowing cookies.

The only thing I could think that would come close is to require a valid email address for each user. Then I as a malicious user could only perform the action as many times as I have email addresses. Of course If I host an email server I could completely get around the whole thing and hit your site as many times as I want.

I'm not sure there is a way to do what you want. At least not over the web.
Bruce Jin
Ranch Hand

Joined: Sep 20, 2001
Posts: 666
Thanks.
It looks like that in http world we cannot associate a user to his/her pc/hardware and cannot uniquely identify him/her.
Let them download the songs!
cheers.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29287
    
140

Bruce,
As noted above there isn't a way to track unique users. You can still make it as difficult as possible to abuse your service though.

E-mails are the most reliable of the options. It is trivial to get a new session by closing the browser. On dialup, I can get a new IP just by calling in again. Also, IPs lock legit users out (users behind a proxy server share an IP and members of a family share a computer.)

Even better than providing an e-mail is forcing a response from the same e-mail address. If you run a mail server, you still have to keep creating accounts. If not, you have to keep registering for free ones. This makes it a little harder and more time consuming to get free stuff. But not prohibitive.

There is one way that is more secure: ask for a name/address/credit card number. Obviously, you have to be providing something of value to get people to give this info. But it is much harder to forge.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

1. Why? Use permanent cookie, so closing browser won't destroy it instantly.

e-mail solution doesn't look good for me.
1. I can have no e-mails (it's true my wife doesn't, but does a lot online purchases)
2. e-mail server can be down
3. a user can forget e-mail password, forget to login in e-mail and get mailbox locked, can change ISP, e-mail provider can just disapper.


Retire your iPod and start with HD Android music player Kamerton | Minimal J2EE container is here | Light weight full J2EE stack | and build tool | Co-author of "Windows programming in Turbo Pascal"
Steven Bell
Ranch Hand

Joined: Dec 29, 2004
Posts: 1071
Originally posted by D Rog:
1. Why? Use permanent cookie, so closing browser won't destroy it instantly.


Because I, as a malicious user, will simply turn off cookies and/or delete them in between visits.
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

If you do not want to be identified just go ahead. In this case nothing can help, even installing a certificate to browser and doing double SSL.

Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650.
[ May 24, 2005: Message edited by: D Rog ]
Steven Bell
Ranch Hand

Joined: Dec 29, 2004
Posts: 1071
Originally posted by D Rog:

Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650.

[ May 24, 2005: Message edited by: D Rog ]


Or go the more difficult route of turning activeX off in the browser.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to track real unique user?
 
Similar Threads
How to protect the .jar of my Midlet with a OTA server
Authentication without Keys?
How to get server IP address from Client??
Why does RMI naming lookup work on the local host when I give it a garbage name?
host name from an IP