Prevent multiple logins from the same user with PhP

Posted on 2012-08-28
Medium Priority
Last Modified: 2012-09-10
I have a site where I am going to be hosting a game which is free to play and users can win an iPad. Of course this is going to be very tempting for users to try and spoof so I want to get some ideas about how I can go about and prevent multiple accounts from being created from the same user. Of course some of the basics I already have covered are

Prevent multiple ip's

This is a basic to me which I already have covered, but I know this is easily spoofed from users assigning different ip's with hacks.

Same username

I have this covered where users cannot use the same username that has already been created

Same email

Covered. Can only use one email account per user

Besides these is there anything else I can do to tighten up security?
Question by:cbielich
LVL 60

Expert Comment

by:Julian Hansen
ID: 38344414
Prevent multiple ip's

This is not really a good option

1. You might have multiple users behind a single IP
2. Users can reconnect using a different IP

The only real option you have is email address and for people with their own domain you won't be able to stop them creating new email accounts.

You could use a combination - which would allow multiple users from a single IP but it is no guarantee that it would stop people from multiple entries.

What I would do is ask for a shipping address - and use that - if they win they are going to have to have the item shipped - so legitimate question. Might get a few who are only prepared to give that information if they win - but then you can make it so they can't enter unless they do.

Failing that - go with email / IP - not really going to be able to do anything else.

You can also explore putting a cookie on the machine - but in some cases you have to notify people you are doing this and cookies can be deleteed.

Expert Comment

ID: 38344922
One of the options that can be considered you can send a personal information number PIN to users mobile or postal address and user need to verify with this PIN at your site.
Duplicate mobile numbers/address  would be rejected by your script.But you must understand that undertaking such a measure would mean heavy operational expenses and is more easily done for a particular country.
LVL 111

Expert Comment

by:Ray Paseur
ID: 38345379

Using that kind of design, you can verify the client's email address.  It is possible, but not highly likely, that you will get clients with the same IP address and the same browser.  I would record those data and flag identical IP and browser for individual, manual inspection.

And, of course, the best test would be a CAPTCHA to avoid the onslaught of 'bots that want to enter the game ;-)
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Expert Comment

by:Mohamed Abowarda
ID: 38346383
Simple answer:
You can't completely prevent users from creating multiple accounts.

However, you can LIMIT it and make it harder for them to create multiple accounts.

Less efficient ways (will help you to stop some members from signing up multiple times):
IP Address:
Not very efficient and it can prevent some people who never sign up from signing up since IP addresses can be re-used.
In users table create a field were you record the IP address of the member, for example: (field name: ipaddr), each time a new member sign up, check for any existing member with the same IP address using SQL query.

If the visitor know how to clear the cookies, this will be useless. However, many internet users don't know what is even cookies
Once a new user sign up, add some data to the session, for example you can add a boolean value indicating that the member has signed up before, check for the coookie each time a new member is trying to sign up

More efficient ways (will make it much harder for someone to sign up twice, however it might lower your signups):

I would recommend you to use any of the following ONLY if your service is commercial and NOT free of charge.

1. Credit card verification.
I don't recommend unless your company is trusted enough.

2. Phone verification (recommended):
Sending a text message using texting API can help to prevent people from signing up multiple times and most people use a single cell phone, you can find some API providers online, example:

3. Address verification:
You can verify by sending post mail to members with a PIN code and ask them to enter the PIN code inside the mail.

4. ID verification
When a new user sign up, you can ask them to send a copy of their ID for verification purpose.

Author Comment

ID: 38366126
Thanks all for your input. Yes its impossible to prevent it 100% but I can try at least :)

I am going to check out the link from @Ray_Paseur and let you know how it goes, looks very interesting.

The main thing about the site I have is that I am running a game that users can play absolutely free. And I am going to have both weekly and monthly prizes for the top scorers of iPad's and gift cards so the demand to secure the process is going to be high for sure.

As soon as I read the link mentioned above and implement I will mark the proper Accepted Solutions.

Thanks All
LVL 12

Accepted Solution

Mohamed Abowarda earned 2000 total points
ID: 38366287
A good way that will work very well and will prevent most people from signing up more than once is using phone verification, take a look at the link I posted initially to find out how to send text messages for phone verification.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question