Detecting a "unique" anonymous users

views:

answers:

+2 Q:

Detecting a "unique" anonymous users

It is impossible to identify a user or request as unique since duping is trivial.

However, there are a handful of methods that, combined, can hamper cheating attempts and give a user quasi-unique status.

I know of the following:

IP Address - store the IP address of each visitor in a database of some sort
- Can be faked
- Multiple computers/users can have the same address
- Users with dynamic IP addresses (some ISP issue them)
Cookie tracking - store a cookie per visitor. Visitors that don't have it are considered "unique"
- Can be faked
- Cookies can be blocked or cleared via browser

Are there more ways to track non-authorized (non-login, non-authentication) website visitors?

Yes, it's impossible to tell anonymous visitors apart with 100% certainty. The best that you can do is to gather the information that you have, and try to tell as many visitors apart as you can.

There is one more piece of infomration that you can use:

Browser string
- It's not unique, but in combination with the other information it increases the resolution.

If you need to tell the visitors apart with 100% certainty, then you need to make them log in.

Guffa 2010-10-15 07:29:47

There is no sure-fire way to achieve this, in my view. Of your options, cookies are the most likely to yield a reasonably realistic number. NATing and proxy servers can mask the IP addresses of a large number of users, and dynamic IP address allocation will confuse the results for a lot of others

Have you considered using e.g Google Analytics or similar? They do unique visitor tracking as part of their service, and they probably have a lot more money to throw at finding heuristic solutions to this problem than you or I. Just a thought!

Paul Russell 2010-10-15 07:32:00

What about checking other headers also, such as User-Agent, Accept-Language, or even Accept-Charset?

Or, to get a bit black-hat, you could grab and check cookies set by other common sites (big G) for this user's browser...

Steve 2010-10-15 07:34:00

+1 A:

moontear 2010-10-15 07:40:46

I'd +1 this but there's enough evil in the world already without abusing other people's computers.

annakata 2010-10-15 07:46:03

You're right, but it is always good to know what you are up against so you can defend yourself.

moontear 2010-10-15 07:46:46

I'm not sure if evercookie's website is using its own plugin, but my mouse is constantly flickering. I assume its the storage thats happening. Great find though.

Baddie 2010-10-15 08:07:37

Not a plugin, all JS based - you can actually download the source ;-)

moontear 2010-10-15 08:11:05

I was also unique (amongst 1,221,523) thanks to my font collection (i was the only one how had it)

jgauffin 2010-10-15 13:18:03

Panopticlick has a quite refined method for checking for unique users using fingerprinting. Apart from IP-adress and user-agent it used things like timezone, screen resolution, fonts installed on the system and plugins installed in the browser etc, so it comes up with a very distinct ID for each and every user without storing anything in their computers. False negatives (finding two different users with the exact same fingerprint) are very rare.

A problem with that approach is that it can yield some false positive, i.e. it considers the same user to be a new one if they've installed a new font for example. If this is ok or not depends on your application I suppose.

Jakob 2010-10-15 07:47:29

ansaurus

tags:

views:

answers:

Detecting a "unique" anonymous users

related questions