tags:

views:

70

answers:

3
Q: 

Tracking and logging anonymous users

If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.

Client side cookies can be deleted and server side cookies again have no way to reliably map said cookie to the anonymous user.

Does this mean there is no reliable way of tracking anonymous users indefinitely?

A: 

Yes, there is no certainty in tracking IP addresses or using cookies.

Andy West  2009-12-12 11:25:49
+1  A: 

If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting

Unless that page is extremely popular, it's very unlikely that someone else being assigned the same IP address by the ISP would also visit it.

Edit: Users using the same IP address due to NAT are a much bigger problem and probably a deal-breaker for using the IP address. I'd be less worried about corporate networks than about private home networks: very common, and having two people in the same household wanting to visit and vote on the same site is rather more likely than two random strangers.

and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.

It's not just a question of time; most ISPs assign IP addresses upon connect, so all someone has to do to get a new one is to reinitialize their DSL connection (or whatever they use).

Does this mean there is no reliable way of tracking anonymous users indefinitely?

Correct.

Michael Borgwardt  2009-12-12 11:27:08
Thanks for clarifying. Any numbers available on the likelihood?
stef  2009-12-12 11:32:36
Not really, that depends on too many factors. But the biggest one would be the popularity of the site.
Michael Borgwardt  2009-12-12 11:50:08
+3  A: 

Using only IP addresses for user authentication/identification is extremely unreliable. There might be many hundreds or even thousands of users behind one IP (e.g a corporate network) and for most of those on home connections their IPs are likely to be dynamic and regularly changing.

You have to use Cookies for more reliable tracking. You can specify just about any time-to-live for a cookie, so that when an anonymous user returns, you can identify him.

Of course cookies can be deleted by users, so they could delete their cookies and vote again. However, is this likely to be a big problem? If someone really wants to game your poll, they could write a script. However, you could add a few basic security features: only allow some maximum votes per IP per day, and allow only so many votes per IP per second.

Richard  2009-12-12 11:31:50
"There might be many hundreds or even thousands of users behind one IP (e.g a corporate network)" - had not thought of that, thanks.
stef  2009-12-12 11:43:12
@Richard, thanks for your answer.I've never dealt with anonymous users situation, now I have to implement this functionality.How do I do it? can you refer me to a good tutorial about it? I need to collect steady data like voting, comments, etc. from anonymous users based on cookie, but I don't want to store these users like 'Users', i only want to save their votes, comments, and their IP source, so I can know what country it is from - for statistic trackings.Tx
Shimmy  2010-07-27 06:18:04

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?