Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Anonymity issue

Posted on 2000-02-28
13
Medium Priority
?
302 Views
Last Modified: 2010-03-05
Suppose you are administering a web-based questionnaire which goes out to a select group of clients. You email them the .htaccess controlled user and password which allows them to get into the questionnaire area. How can you guarantee that their responses are anonymous (to you) while at the same time ensuring that noone answers the questionnaire more than once?
0
Comment
Question by:datanova
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
13 Comments
 
LVL 3

Expert Comment

by:jyu_88
ID: 2565584
for a list of user emails, randomly generate username/password pair, add it to your smb/passwd, send email to the user.
foreach $email (@emaillist) {
      $uname = &myRandom(8);
      $pass = &myRandom(8);
      #email the pair to $email
      #add the pair to your AuthUserFile
}

make a copy of your AuthUserFile, named the file 'controlList'
when a user hit submit, your CGI will validate his/her input, accept the input only if the user is in a contrl file, then remove entry from 'controlList'. This way user will only be able to input once. And, since the association between username and email has lost, you don't really know who did the submit even if you know the user's htaccess name.
0
 

Author Comment

by:datanova
ID: 2565648
But what's to stop a client logging on twice and pretending to be different people? He could generate several pairs of usernames and passwords and submit several copies of the same questionnaire. Couldn't he?

0
 
LVL 3

Expert Comment

by:alien_life_form
ID: 2569043
Keep a database of people who has already genetrated a u/p pair.
Do not allow repeats.
cheers,
   alf
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:datanova
ID: 2569481
How would I know which people had generated u/p pairs? They would have to tell me. So what about those who choose not to tell me? Maybe I don't understand your suggestion.
----------------------------------
<hr>

I think the answer is this:

Questionnaire administrator sends out unreproducable pieces of parchment (or whatever) to the respondent group together with the .htaccess password to the relevant web area. Respondents then fill in the questionnaire and fill in an identification field containing any string of characters they like. They then write the same string of characters on the piece of parchment and post it back anonymously to central office who can then match the parchment with the first incoming questionnaire response containing said id field string. Granted that with paranoia mode on the sending IP address might be traced to a particular company, I think that this level of security would be acceptable.

0
 

Author Comment

by:datanova
ID: 2569489
Moderator!

I've answered my own question.
Can I have 50 points please?

Thanks,

Alex.
0
 
LVL 3

Expert Comment

by:jyu_88
ID: 2569623
You are kidding:-)

Datanova, I think you misunderstood my answer.

The login/password is generated on the server and send to users one pair each. The same login/password is added to .htaccess, which control the access to the page.   The perl script above is  a standalone for this purpose, not the CGI itself, in other words, the users has no access to it at all.
The user can generate any login/password pairs themselves, but, that's more like hacking through brutal-force. nobody can stop them from doing that.
0
 

Author Comment

by:datanova
ID: 2570508
OK so what's to stop a user generating any number of login/passwords? See my comment posted on Monday.

0
 
LVL 3

Expert Comment

by:jyu_88
ID: 2570632
like I said, nothing to stop them, or any hacker for that matter, to generate unlimited pairs of login/passwd to do brutal-force hacking. The thing is their home-brew logins cannot match what you created for other users so they cannot login as other users, if you myRandom sub is really random and kept in a safe place. John Doe users shall not have access to the myRandom sub at all.

To avoid hacker to get even an vague idea of your myRandom routine thus get a better chance of guessing it right, you need to authenticate users over a secured channel such as a  strong-encrypted SSL channel.
0
 

Author Comment

by:datanova
ID: 2574514
I think I might understand you now. So the idea is that the questionnaire administrator randomly generates user/pwd pairs and emails them to the client group without him (the administrator) knowing to which client which user/pwd pair has been sent. Is that right?

0
 
LVL 3

Accepted Solution

by:
jyu_88 earned 150 total points
ID: 2574542
yes
0
 

Author Comment

by:datanova
ID: 2574579
In which case your answer works and is logically equivalent to my parchment answer. The two main differences are that my answer is more labour intensive and requires stamps and people to lick them, but in the case of the client being paranoid about company sensitive material he might prefer my solution since he probably wouldn't believe that I wouldn't hack my own email system and find out who sent which responses. (Of course, I could also secretly mark the parchment which would serve the same purpose).

So thanks. You'll be getting some points.

0
 

Author Comment

by:datanova
ID: 2574583
See below (or above).
0
 

Author Comment

by:datanova
ID: 2574961
iyu 88,

You seem to have received only 5 points instead of 50. I don't know what happened there. Any ideas?

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question