How to accurately identify the user in PHP?

Question

How to accurately identify the user in PHP?

Hello. There is a form where the user can vote. The problem is this: when a user voted, more than the opportunity to do more was impossible. You can just vote when you voted to keep the IP, but it's too unreliable, because IP changes myself, and if desired, it is - a matter of 10 seconds. Are there any more reliable methods of identifying the user?

PHP

Verona43 asked July 8th 19 at 15:32

Related questions

More answers about "How to accurately identify the user in PHP?"

4 answers

Gussie_Hansen answered on July 8th 19 at 15:40

To create a table that will be used to enroll user IDs that have already voted. And re-mapping of the survey, do a check and then have to output the results of the vote.

We once had 3 tables.
poll_questions - stored questions
poll_answer - stored answers
poll_users - chronica user ID, question ID and answer ID.

something like that

Kameron_Hilpert34 answered on · Accepted Answer · 2019-07-08T15:34:40.098Z

Kameron_Hilpert34 answered on July 8th 19 at 15:34

Solution

If you expect that a user will vote only in the browser and do not send the request, e.g. curl-ohms, I would gather as much information about the browser using JS:
1. UserAgent
2. The width and height of the window (maybe stupid)
3. Locale

And so on.

no, the window resolution is not stupid, just. as the locale. - Robert commented on July 8th 19 at 15:37

And what is the profit storage UserAgent? As far as I understand, it is for the same version of the browser, different users will be identical. I think that this is a redundancy, which is not particularly useful. Accidental cheating is enough for something more reliable cookie, for example. But if we're talking about a targeted attack, the UserAgent is generated with poltica - winfield_Keeling commented on July 8th 19 at 15:40

In the console run:

function setCookie(name, value, options) {
 options = options || {};

 var expires = options.expires;

 if (typeof expires == "number" && expires) {
 var d = new Date();
 d.setTime(d.getTime() + expires * 1000);
 expires = options.expires = d;
}
 if (expires && expires.toUTCString) {
 options.expires = expires.toUTCString();
}

 value = encodeURIComponent(value);

 var updatedCookie = name + "=" + value;

 for (var propName in options) {
 updatedCookie += "; " + propName;
 var propValue = options[propName];
 if (propValue !== true) {
 updatedCookie += "=" + propValue;
}
}

 document.cookie = updatedCookie;
}
setCookie("name", "Vasya", {expires: 3600, path: "/", domain: "toster.ru", secure: true});

- Kameron_Hilpert34 commented on July 8th 19 at 15:43

: this is one of the criteria for identification. And cookies are cleaned once or twice and agree that it is much easier than to fake the User agent. - Robert commented on July 8th 19 at 15:46

: I explained my point of view. You have Google Chrome under Ubuntu, and I have the same thing, and returns the userAgent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36" if you treat it as the only identifier, then, if I vote, then you the system will not allow to do so and Vice versa.

Of course, if it is considered as a unit of the set of parameters, it is possible that only the more parameters these composite units, the easier it is to circumvent the protection, it is enough to change any of the settings. - winfield_Keeling commented on July 8th 19 at 15:49

Robert answered on · Accepted Answer · 2019-07-08T15:36:40.098Z

Robert answered on July 8th 19 at 15:36

Solution

cookies, IP, HTTP, User-agent

winfield_Keeling answered on · Accepted Answer · 2019-07-08T15:38:40.098Z

When I studied the issue, took the stage:
1. ip it is changing, and some providers give one external ip for the whole network. Bad option.
2. Cookies/session. Around not too difficult, reset cookies/restart browser.
3. To force the user to log into the system. Ie need to register on your website.
4. That's not just username/password, and intricate, the type of confirmation via email.
5. Or even further with binding by phone number. This, at least, complicate the lives of "criminals".

But (!) all this corruption. Had an experience a few years ago when we did the vote via likes social.networking was not yet common practice the purchase of likes, but then passed over the crowd with daca and stupidly voted for the right person. To ensure objective public opinion cannot, accept and use as all cookies[+session][+ip].