tags:

views:

209

answers:

2
+1  Q: 

Detect multi accounts via cookies

I want to detect multi accounts in a browser game: If a user has more than one account, I want to know this.

For various reasons, I don't want to detect the multi accounts by comparing IPs anymore. Users can share IPs and IPs are easy to change. So this is not a good method.

Instead, I want to detect the accounts using cookies. Do you think this is a good solution?

<?php
$uniqueHash = md5($_SERVER['REMOTE_ADDR'].mt_rand(1, 100000)); // identify a single user
if (isset($_COOKIE['uniqueHash'])) {
    // UPDATE dbTable SET uniqueHash = '".$_COOKIE['uniqueHash']."' WHERE id = x
}
else {
    setcookie('uniqueHash', $uniqueHash, time()+3600*24*30, '/', '.domain.com', FALSE, TRUE)
}
?>

After that, I can select all users who have the same uniqueHash value from the database table.

Is this improvable? Or a totally bad solution?

What about flash cookies? They're better, right? But I can't use them when I have no flash on my site, can I?

Thanks in advance!

+3  A: 

If you create log containing date for login, ip, hash and UserID - you might be able to get an idea if a user is a multi account or not. Detecting it automatically will be nearly impossible, if im visiting a friend of mine, I might login on his computer to check my account?

So log all the data, then have a "multihunter"-human look into if its the same player or not.

Cederstrom  2010-01-02 23:34:24
This is probably the easier solution. I used to play a web game called Travian with a couple co-workers and one individual had written a quick tool to swap cookies out when he logged into his other accounts. We assume the only way he got caught was a human comparing his login times to his IP address.
David  2010-01-02 23:40:05
Yes, and create a nice Lucene/SOLR based app to be able to search the log information easily and quickly.
Vinko Vrsalovic  2010-01-02 23:41:30
Thank you very much, you've convinced me to let humans check the logs for multi accounts.
 2010-01-17 15:24:38
+1  A: 

Storing values into cookies is even worse than comparing ip's imho. Cookies are very easy to change/delete while changing your ip is much harder.

I think you're best shot is to have some basic AI solution which flags suspicious accounts. So multiple logins with the same IP at the same time (could be IP sharing or multiple browsers at the same time) is something the AI should pick up. Also look at logouts and logins from the same ip with different accounts in a short notice. Try to lookup hostnames and use that as well since DHCP of ISP sometimes gives clients a new ip but the hostname stays the same.

The point is that there is no solution which is based upon one piece of information.

Btw, another solution that comes to mind is to let users confirm their account by sending an SMS of letting them pay a very small amount (like $1), in that case it is not attractive to register many accounts.

Henri  2010-01-03 00:13:43
Thank you, this is how I'm going to do it now :)
 2010-01-17 15:23:39

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases