Prevent multiple logins from the same user with PhP
I have a site where I am going to be hosting a game which is free to play and users can win an iPad. Of course this is going to be very tempting for users to try and spoof so I want to get some ideas about how I can go about and prevent multiple accounts from being created from the same user. Of course some of the basics I already have covered are
Prevent multiple ip's
This is a basic to me which I already have covered, but I know this is easily spoofed from users assigning different ip's with hacks.
Same username
I have this covered where users cannot use the same username that has already been created
Same email
Covered. Can only use one email account per user
Besides these is there anything else I can do to tighten up security?
Prevent multiple ip's
This is a basic to me which I already have covered, but I know this is easily spoofed from users assigning different ip's with hacks.
Same username
I have this covered where users cannot use the same username that has already been created
Same email
Covered. Can only use one email account per user
Besides these is there anything else I can do to tighten up security?
One of the options that can be considered you can send a personal information number PIN to users mobile or postal address and user need to verify with this PIN at your site.
Duplicate mobile numbers/address would be rejected by your script.But you must understand that undertaking such a measure would mean heavy operational expenses and is more easily done for a particular country.
Duplicate mobile numbers/address would be rejected by your script.But you must understand that undertaking such a measure would mean heavy operational expenses and is more easily done for a particular country.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_3939-Registration-and-Email-Confirmation-in-PHP.html
Using that kind of design, you can verify the client's email address. It is possible, but not highly likely, that you will get clients with the same IP address and the same browser. I would record those data and flag identical IP and browser for individual, manual inspection.
And, of course, the best test would be a CAPTCHA to avoid the onslaught of 'bots that want to enter the game ;-)
Using that kind of design, you can verify the client's email address. It is possible, but not highly likely, that you will get clients with the same IP address and the same browser. I would record those data and flag identical IP and browser for individual, manual inspection.
And, of course, the best test would be a CAPTCHA to avoid the onslaught of 'bots that want to enter the game ;-)
Simple answer:
You can't completely prevent users from creating multiple accounts.
However, you can LIMIT it and make it harder for them to create multiple accounts.
Less efficient ways (will help you to stop some members from signing up multiple times):
IP Address:
Not very efficient and it can prevent some people who never sign up from signing up since IP addresses can be re-used.
In users table create a field were you record the IP address of the member, for example: (field name: ipaddr), each time a new member sign up, check for any existing member with the same IP address using SQL query.
Cookies:
If the visitor know how to clear the cookies, this will be useless. However, many internet users don't know what is even cookies
Once a new user sign up, add some data to the session, for example you can add a boolean value indicating that the member has signed up before, check for the coookie each time a new member is trying to sign up
More efficient ways (will make it much harder for someone to sign up twice, however it might lower your signups):
I would recommend you to use any of the following ONLY if your service is commercial and NOT free of charge.
1. Credit card verification.
I don't recommend unless your company is trusted enough.
2. Phone verification (recommended):
Sending a text message using texting API can help to prevent people from signing up multiple times and most people use a single cell phone, you can find some API providers online, example:
http://www.eztexting.com/developers/
3. Address verification:
You can verify by sending post mail to members with a PIN code and ask them to enter the PIN code inside the mail.
4. ID verification
When a new user sign up, you can ask them to send a copy of their ID for verification purpose.
You can't completely prevent users from creating multiple accounts.
However, you can LIMIT it and make it harder for them to create multiple accounts.
Less efficient ways (will help you to stop some members from signing up multiple times):
IP Address:
Not very efficient and it can prevent some people who never sign up from signing up since IP addresses can be re-used.
In users table create a field were you record the IP address of the member, for example: (field name: ipaddr), each time a new member sign up, check for any existing member with the same IP address using SQL query.
Cookies:
If the visitor know how to clear the cookies, this will be useless. However, many internet users don't know what is even cookies
Once a new user sign up, add some data to the session, for example you can add a boolean value indicating that the member has signed up before, check for the coookie each time a new member is trying to sign up
More efficient ways (will make it much harder for someone to sign up twice, however it might lower your signups):
I would recommend you to use any of the following ONLY if your service is commercial and NOT free of charge.
1. Credit card verification.
I don't recommend unless your company is trusted enough.
2. Phone verification (recommended):
Sending a text message using texting API can help to prevent people from signing up multiple times and most people use a single cell phone, you can find some API providers online, example:
http://www.eztexting.com/developers/
3. Address verification:
You can verify by sending post mail to members with a PIN code and ask them to enter the PIN code inside the mail.
4. ID verification
When a new user sign up, you can ask them to send a copy of their ID for verification purpose.
ASKER
Thanks all for your input. Yes its impossible to prevent it 100% but I can try at least :)
I am going to check out the link from @Ray_Paseur and let you know how it goes, looks very interesting.
The main thing about the site I have is that I am running a game that users can play absolutely free. And I am going to have both weekly and monthly prizes for the top scorers of iPad's and gift cards so the demand to secure the process is going to be high for sure.
As soon as I read the link mentioned above and implement I will mark the proper Accepted Solutions.
Thanks All
I am going to check out the link from @Ray_Paseur and let you know how it goes, looks very interesting.
The main thing about the site I have is that I am running a game that users can play absolutely free. And I am going to have both weekly and monthly prizes for the top scorers of iPad's and gift cards so the demand to secure the process is going to be high for sure.
As soon as I read the link mentioned above and implement I will mark the proper Accepted Solutions.
Thanks All
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is not really a good option
1. You might have multiple users behind a single IP
2. Users can reconnect using a different IP
The only real option you have is email address and for people with their own domain you won't be able to stop them creating new email accounts.
You could use a combination - which would allow multiple users from a single IP but it is no guarantee that it would stop people from multiple entries.
What I would do is ask for a shipping address - and use that - if they win they are going to have to have the item shipped - so legitimate question. Might get a few who are only prepared to give that information if they win - but then you can make it so they can't enter unless they do.
Failing that - go with email / IP - not really going to be able to do anything else.
You can also explore putting a cookie on the machine - but in some cases you have to notify people you are doing this and cookies can be deleteed.