views:

162

answers:

6

Question

How can you determine if a user is unique or not?

I understand there are many ways to do this using cookies, but what about methods that don't use cookies?

For example, go to Urban Dictionary and click one of the up/down vote buttons. Even if you delete your cookies and come back to the page, you will not be allowed to cast a vote on the same definition.

How do they do this?

Purpose

Eventually, I'd like to use this unique user detection method on a site where users create accounts. New signups are given a type of "reward" and I want to prevent people from creating multiple accounts in order to exploit the reward system.

Ultimately, I don't really care what techniques are used to achieve this. I understand that no method will be 100% reliable. Even preventing this for 70-90% of users with an average computer skill level would satisfy me.

+1  A: 

Some use cookies, some force a login/email address, and some track IP address.

Justin Niessner
+2  A: 

I'm guessing that Urban Dictionary (and other voting sites, such as a variety of image boards) use IP addresses to track visitors. Not 100% fool-proof, but probably pretty good for most of the time.

Note that with many of these sites, you can vote again, usually once per 24 hours (or however long they log IP addresses for).

Some things that will break this scheme: People who know how to spoof IP addersses, NAT routers, proxies (possibly). Another thing: many home ISPs these days use dynamic IP addresses, so the IP address you have right now might be different in a few hours. If you want to force a new IP address, it's usually enough to unplug your high-speed modem for a few minutes then plug it back in. Some routers also have a feature to demand a new IP from the ISP.

FrustratedWithFormsDesigner
Sorry, I updated the question with a "Purpose" section. I realize there's no stopping the savvy user that understands how to circumvent these preventative techniques, but I'd be happy with stopping the majority of the crowd.
macek
A: 

As FrustratedWithFormsDesigner alludes to above, if you're not going to use cookies then you've got to use IP addresses. You can combine this with the user-agent, but even that is not infallible.

Cal Jacobson
+2  A: 

Urban Dictionary is probably only allowing one vote per IP. Or they could be taking a browser fingerprint https://panopticlick.eff.org/.

For tracking whether a user has been to your site before, cookies are a probably your best bet

Adam Pope
+3  A: 

Besides IP address and "normal" cookies, FLASH cookies may be used. FF has an add-on called "BetterPrivacy" that delete those cookies when you exit the browser. But they're less known.

Dor
So aside from people that specifically clean these "Flash Cookies," they would remain on user's system?
macek
Yes, they would remain, assuming the user has Flash enabled.
Dor
Dor, I will have to look into these, thank you :) I can imagine I'll use as many layers as possible for maximum effectiveness. Perhaps 1) Flash cookies 2) Regular cookies 3) Browser fingerprint 4) Unique IP within X hours, etc.
macek
NP :) In that case... An extreme approach may consider sending to the user an image that will be stored in the browser's cache "forever". When you recognize a "new" user, check if he asks that image from the server.
Dor
A: 

IP address is commonly used but fallible, as others have said. Note that AOL (and perhaps other ISP's) use shared proxy servers for content-type requests and caching, so that a single user's requests for images may show up to your server as coming from several different IP addresses. Conversely, all AOL users' requests for images will therefore comme from these same IP numbers.

jwadsack