tags:

views:

131

answers:

6
+1  Q: 

detect multiple accounts

I'd like to know what methods usually web applications employ in order to detect multiple accounts, supposing that the application wants its users to create a single account .

+1  A: 

Use the user's email address as his login (username). Store the email address as a unique key in your database. Not foolproof, of course. Then again, few things are. I'd avoid the temptation of using IP address. You'll get the same user logging in from multiple IP addresses if his ISP uses dynamic IP assignment. Conversely, many users can share a single globally-visible IP address.

Bob Kaufman  2009-09-14 20:07:29
but what if the users are carefully enough to delete all the cookies before they attempt a second login at a different account ?
rantravee  2009-09-14 20:20:16
Agreed. Said user has defeated the scheme. What are the consequences of a user creating >1 account? I'm guessing they can go so far with a restricted, free account and a second account will give them twice the whatever. Hmmm... balancing the convenience of legitimate users with thwarting the cheats is the security person's stock and trade. Perhaps requiring a credit card number, though you'll lose something like 90% of your legit users. I'll think more about this...
Bob Kaufman  2009-09-14 21:03:03
A: 

Ip Address is the most obvious sign that multiple accounts may be used. This is flawed if two people from the same IP have an account

John Nolan  2009-09-14 20:07:34
Or you've got an entire company hidden behind a single NAT firewall.
Rowland Shaw  2009-09-14 20:24:49
Blame IPv4 for that :)
John Nolan  2009-09-14 21:01:00
Conversely, folks on AOL/dialup can get additional accounts simply by taking advantage of dynamic IP. Each sign-on brings with it a new IP address.
Bob Kaufman  2009-09-14 21:21:25
A: 

I haven't implemented such a solution, but I think that you may use one or more of:

  • Setting & checking a cookie
  • Using sessions
  • Storing the user IP
  • Cross-referencing the details (address, city etc)
Flavius Stef  2009-09-14 20:07:34
+1  A: 

Most of the apps I've seen/written are based on a unique email address. If you've got more than one email address, you can apply for more than one account.

If it needs to be more complicated than that...I'd question why you want a user to have only one account.

Justin Niessner  2009-09-14 20:08:20
As per my rant, below, I'm guessing that there is a financial consequence to allowing a user to have an infinite number of free accounts. Perhaps @rantravee can enlighten us further.
Bob Kaufman  2009-09-14 21:04:34
In this case allowing an user to poses more than an account would be equivelent to cheating, specially if the users can interact with each other. Of course one might think of a method to detect this, in the context of the application by analyzing user's behaviour, but is there a general solution/trick that could be applied to catch multiple accounts ?
rantravee  2009-09-14 22:06:20
I'm going out on a limb and say you're talking about a browser based multi-player online game. That case is going to be hard to catch...and you're never going to get 100% coverage. If I knew a little more about the application, maybe I could suggest a better solution.
Justin Niessner  2009-09-14 22:15:24
A: 

Two people might share an IP, if they have several computers on a LAN, or their IPs are assigned dynamically. You can use a cookie to track the last username they logged in with. Then when they log in with a different name, you know the same browser's been used to access multiple accounts. You can use Flash's storage to get around them clearing their browser cookies.

David  2009-09-14 20:09:21
A: 

In most cases its simplest just not to care if a user has more than one account. If its a situation where you are offering like x free per account and you want them to pay for extra your pretty limited. If you have any uniquely identifiable that they can't lie about like address if they want you to send stuff to them you can disallow duplicates. If its a really big problem I would add extra captcha or email validation steps if you detect a duplicate IP address. That way you don't disallow a legitimate duplicate but you'll hopeful force moochers to just pay instead of going through the hoops.

Joshua  2009-09-14 20:51:57
Unfortunately, most of your suggestions will, IMHO, scare off a disproportionate number of legitimate users.
Bob Kaufman  2009-09-14 21:23:01
Granted additional hoops will clearly lose legitimate users but it then becomes a business decision of which is greater, the expected revenue from the lost legitimated users or the expected revenue from 'forced' to pay moochers.
Joshua  2009-09-14 22:57:43

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?