Prevent multiple logins from the same user with PhP

Posted on 2012-08-28
Last Modified: 2012-09-10
I have a site where I am going to be hosting a game which is free to play and users can win an iPad. Of course this is going to be very tempting for users to try and spoof so I want to get some ideas about how I can go about and prevent multiple accounts from being created from the same user. Of course some of the basics I already have covered are

Prevent multiple ip's

This is a basic to me which I already have covered, but I know this is easily spoofed from users assigning different ip's with hacks.

Same username

I have this covered where users cannot use the same username that has already been created

Same email

Covered. Can only use one email account per user

Besides these is there anything else I can do to tighten up security?
Question by:cbielich
    LVL 50

    Expert Comment

    by:Julian Hansen
    Prevent multiple ip's

    This is not really a good option

    1. You might have multiple users behind a single IP
    2. Users can reconnect using a different IP

    The only real option you have is email address and for people with their own domain you won't be able to stop them creating new email accounts.

    You could use a combination - which would allow multiple users from a single IP but it is no guarantee that it would stop people from multiple entries.

    What I would do is ask for a shipping address - and use that - if they win they are going to have to have the item shipped - so legitimate question. Might get a few who are only prepared to give that information if they win - but then you can make it so they can't enter unless they do.

    Failing that - go with email / IP - not really going to be able to do anything else.

    You can also explore putting a cookie on the machine - but in some cases you have to notify people you are doing this and cookies can be deleteed.
    LVL 9

    Expert Comment

    One of the options that can be considered you can send a personal information number PIN to users mobile or postal address and user need to verify with this PIN at your site.
    Duplicate mobile numbers/address  would be rejected by your script.But you must understand that undertaking such a measure would mean heavy operational expenses and is more easily done for a particular country.
    LVL 107

    Expert Comment

    by:Ray Paseur

    Using that kind of design, you can verify the client's email address.  It is possible, but not highly likely, that you will get clients with the same IP address and the same browser.  I would record those data and flag identical IP and browser for individual, manual inspection.

    And, of course, the best test would be a CAPTCHA to avoid the onslaught of 'bots that want to enter the game ;-)
    LVL 12

    Expert Comment

    by:Mohamed Abowarda
    Simple answer:
    You can't completely prevent users from creating multiple accounts.

    However, you can LIMIT it and make it harder for them to create multiple accounts.

    Less efficient ways (will help you to stop some members from signing up multiple times):
    IP Address:
    Not very efficient and it can prevent some people who never sign up from signing up since IP addresses can be re-used.
    In users table create a field were you record the IP address of the member, for example: (field name: ipaddr), each time a new member sign up, check for any existing member with the same IP address using SQL query.

    If the visitor know how to clear the cookies, this will be useless. However, many internet users don't know what is even cookies
    Once a new user sign up, add some data to the session, for example you can add a boolean value indicating that the member has signed up before, check for the coookie each time a new member is trying to sign up

    More efficient ways (will make it much harder for someone to sign up twice, however it might lower your signups):

    I would recommend you to use any of the following ONLY if your service is commercial and NOT free of charge.

    1. Credit card verification.
    I don't recommend unless your company is trusted enough.

    2. Phone verification (recommended):
    Sending a text message using texting API can help to prevent people from signing up multiple times and most people use a single cell phone, you can find some API providers online, example:

    3. Address verification:
    You can verify by sending post mail to members with a PIN code and ask them to enter the PIN code inside the mail.

    4. ID verification
    When a new user sign up, you can ask them to send a copy of their ID for verification purpose.
    LVL 1

    Author Comment

    Thanks all for your input. Yes its impossible to prevent it 100% but I can try at least :)

    I am going to check out the link from @Ray_Paseur and let you know how it goes, looks very interesting.

    The main thing about the site I have is that I am running a game that users can play absolutely free. And I am going to have both weekly and monthly prizes for the top scorers of iPad's and gift cards so the demand to secure the process is going to be high for sure.

    As soon as I read the link mentioned above and implement I will mark the proper Accepted Solutions.

    Thanks All
    LVL 12

    Accepted Solution

    A good way that will work very well and will prevent most people from signing up more than once is using phone verification, take a look at the link I posted initially to find out how to send text messages for phone verification.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
    Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit ( and similar technologies have enjoyed wide adoption, making it possib…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to dynamically set the form action using jQuery.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now