ensuring singularity of users

[Zack Brown <zb...@tumblerings.org>]

Hi,

I'd like to implement something that tries to ensure that one user can't
masquerade as multiple users. I'm looking into Captchas, but I'm wondering
what other options there are, and what folks think about that here. My
impression so far is that there's no 100% effective way to do it.

If there's a better place to ask about this, please let me know.

Thanks,
Zack

-- 
Zack Brown

Re: ensuring singularity of users

[Stas Bekman <st...@stason.org>]

Perrin Harkins wrote:
> On Tue, 2003-09-16 at 12:46, Zack Brown wrote:
> 
>>I'd like to implement something that tries to ensure that one user can't
>>masquerade as multiple users.
> 
> 
> We talked quite a bit about preventing multiple logins recently.  I
> think it was last week.  Check the archives.

Perhaps someone would like to summarize these and put a short tutorial on 
perl.apache.org? This question seems to come back pretty often.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: ensuring singularity of users

[Zack Brown <zb...@tumblerings.org>]

On Tue, Sep 16, 2003 at 03:11:04PM -0400, Perrin Harkins wrote:
> On Tue, 2003-09-16 at 14:42, Zack Brown wrote:
> > I want to prevent one person from having multiple accounts.
> 
> Okay.
> 
> > > That's correct, unless you have control over the client machines.  You
> > > can require cookies, which will tell you if multiple users on separate
> > > browsers are sharing a login, but that's about all you can do without
> > > possibly breaking your system for someone.
> > 
> > Someone can appear to be multiple people by disabling cookies though.
> 
> That's why I said "require" cookies: you reject all requests from people
> who don't allow cookies, and then you use the cookies for tracking.  A
> moderately tech-savvy user can delete your cookie and log in again under
> a separate account, but people who are scared of opening up prefs and
> messing with cookie management (or people who simply don't care enough
> to bother) will be stopped.
> 
> If you have a fixed set of clients who are definitely not using proxies,
> you can use IP instead of cookies.

Any simple way to defeat the system will end up not working. I'm looking
for something truly secure.

> 
> > I want to ensure that if person A registers to use a site, they are not
> > able to register again using a different login
> 
> Ask them for a credit card then.  There's no other way that will really
> work 100% of the time.

That's what I figured. Even that won't work all the time, but it will
probably limit people to one login per credit card. Unfortunately, then
I have to get a merchant account, and there will always be some users
who just don't like giving out credit card information.

Be well,
Zack

> 
> - Perrin

-- 
Zack Brown

Re: ensuring singularity of users

[Perrin Harkins <pe...@elem.com>]

On Tue, 2003-09-16 at 14:42, Zack Brown wrote:
> I want to prevent one person from having multiple accounts.

Okay.

> > That's correct, unless you have control over the client machines.  You
> > can require cookies, which will tell you if multiple users on separate
> > browsers are sharing a login, but that's about all you can do without
> > possibly breaking your system for someone.
> 
> Someone can appear to be multiple people by disabling cookies though.

That's why I said "require" cookies: you reject all requests from people
who don't allow cookies, and then you use the cookies for tracking.  A
moderately tech-savvy user can delete your cookie and log in again under
a separate account, but people who are scared of opening up prefs and
messing with cookie management (or people who simply don't care enough
to bother) will be stopped.

If you have a fixed set of clients who are definitely not using proxies,
you can use IP instead of cookies.

> I want to ensure that if person A registers to use a site, they are not
> able to register again using a different login

Ask them for a credit card then.  There's no other way that will really
work 100% of the time.

- Perrin

Re: ensuring singularity of users

[Zack Brown <zb...@tumblerings.org>]

On Tue, Sep 16, 2003 at 01:55:46PM -0400, Perrin Harkins wrote:
> On Tue, 2003-09-16 at 12:46, Zack Brown wrote:
> > I'd like to implement something that tries to ensure that one user can't
> > masquerade as multiple users.
> 
> We talked quite a bit about preventing multiple logins recently.  I
> think it was last week.  Check the archives.
> 
> > I'm looking into Captchas
> 
> Are you trying to prevent multiple people from using the same account,
> or one person from having multiple windows open, or anyone from using
> bots?

I want to prevent one person from having multiple accounts.

> 
> > My
> > impression so far is that there's no 100% effective way to do it.
> 
> That's correct, unless you have control over the client machines.  You
> can require cookies, which will tell you if multiple users on separate
> browsers are sharing a login, but that's about all you can do without
> possibly breaking your system for someone.

Someone can appear to be multiple people by disabling cookies though.

I want to ensure that if person A registers to use a site, they are not
able to register again using a different login, or else they are only
able to register a small enough number of times that it isn't worth it
for them to do so.

Be well,
Zack

> 
> - Perrin

-- 
Zack Brown

Re: ensuring singularity of users

[Perrin Harkins <pe...@elem.com>]

On Tue, 2003-09-16 at 12:46, Zack Brown wrote:
> I'd like to implement something that tries to ensure that one user can't
> masquerade as multiple users.

We talked quite a bit about preventing multiple logins recently.  I
think it was last week.  Check the archives.

> I'm looking into Captchas

Are you trying to prevent multiple people from using the same account,
or one person from having multiple windows open, or anyone from using
bots?

> My
> impression so far is that there's no 100% effective way to do it.

That's correct, unless you have control over the client machines.  You
can require cookies, which will tell you if multiple users on separate
browsers are sharing a login, but that's about all you can do without
possibly breaking your system for someone.

- Perrin