I can think of a few ways but none of them is 100% reliable.
1. Use http session. This will not work since user can close and reopen browser window. 2. Use IP. This will not work since IP can change for the same user. For example, disconnect/reconnect one�s cable modem may cause the user to have a new IP assigned by his/her server. 3. Use cookie. This will not work since the user can clear cookies.
BJ - SCJP and SCWCD
We love Java programming. It is contagious, very cool, and lot of fun. - Peter Coad, Java Design
I don't think there is a way to this. If you could get the MAC from the computer you could track computers that way, but I don't know any way to get a clients MAC. Of course then you are only tracking the computer, you still can't be sure it's the same user. [ May 23, 2005: Message edited by: Steven Bell ]
The requirement is to prevent one user disguise as different users on the same computer to access server information more than allowed (download a free song for example).
Joined: Dec 29, 2004
If I understand correctly what you want to prevent is:
I as a single person on a single computer connect to server. On this server is an action I should only be allowed to perform once. I as a malicious user want to perform this action multiple times by either setting up multiple accounts or simply visiting the site mulitiple times and not allowing cookies.
The only thing I could think that would come close is to require a valid email address for each user. Then I as a malicious user could only perform the action as many times as I have email addresses. Of course If I host an email server I could completely get around the whole thing and hit your site as many times as I want.
I'm not sure there is a way to do what you want. At least not over the web.
Joined: Sep 20, 2001
Thanks. It looks like that in http world we cannot associate a user to his/her pc/hardware and cannot uniquely identify him/her. Let them download the songs! cheers.
Bruce, As noted above there isn't a way to track unique users. You can still make it as difficult as possible to abuse your service though.
E-mails are the most reliable of the options. It is trivial to get a new session by closing the browser. On dialup, I can get a new IP just by calling in again. Also, IPs lock legit users out (users behind a proxy server share an IP and members of a family share a computer.)
Even better than providing an e-mail is forcing a response from the same e-mail address. If you run a mail server, you still have to keep creating accounts. If not, you have to keep registering for free ones. This makes it a little harder and more time consuming to get free stuff. But not prohibitive.
There is one way that is more secure: ask for a name/address/credit card number. Obviously, you have to be providing something of value to get people to give this info. But it is much harder to forge.
1. Why? Use permanent cookie, so closing browser won't destroy it instantly.
e-mail solution doesn't look good for me. 1. I can have no e-mails (it's true my wife doesn't, but does a lot online purchases) 2. e-mail server can be down 3. a user can forget e-mail password, forget to login in e-mail and get mailbox locked, can change ISP, e-mail provider can just disapper.
Originally posted by D Rog: 1. Why? Use permanent cookie, so closing browser won't destroy it instantly.
Because I, as a malicious user, will simply turn off cookies and/or delete them in between visits.
Joined: Feb 07, 2004
If you do not want to be identified just go ahead. In this case nothing can help, even installing a certificate to browser and doing double SSL.
Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650. [ May 24, 2005: Message edited by: D Rog ]
Joined: Dec 29, 2004
Originally posted by D Rog:
Edit: installation tracking ActiveX or plug-in will not help either, a user can simple completely reinsatll OS, or have multi boot configuration, like Linuz, Windows, Mac OS, My own company OS, or access from treo 650.
[ May 24, 2005: Message edited by: D Rog ]
Or go the more difficult route of turning activeX off in the browser.