|
Posted by Richard Lynch on 02/24/05 18:37
Jacques wrote:
> How can I ensure that a user is prevented from creating a second profile
> after he has registered a second time with different registration details?
You can't.
Not totally.
You could send them a Cookie, and hope they're not smart enough to delete
it before they re-register.
You could ask them for a valid email address, and require them to get an
email from you at that address before moving forward, but with free email
all over, that's not much help.
You can prevent wide-spread scripted abuse by requiring them to identify a
random set of characters in an image, possibly semi-obscured by "noise" in
the image background. I don't think any of the scammers have glued in a
usable OCR yet to defeat that, though it may only be a matter of time...
I guess part of the answer really depends on how Serious you need to be
about this: Are you just trying to avoid people making the mistake of
coming back a year later and re-registering without realizing they are
already registered? Or are you trying to build an election system for
your government? Somewhere between the two?
What seems like a simple idea -- uniquely identifying the user -- is
actually IMPOSSIBLE to be 100% sure, and downright difficult to even make
a valiant attempt at it.
> I thought of capturing his IP Address and checking this value against my
> users table in my database where I have captured IP Addresses of users who
> have previously registered.
Forget that.
AOL users will change their IP address more often than drummers change
their underwear -- sometimes mid-session.
And a large corporation like IBM will have everybody in one location
behind a firewall with a single IP address.
IP address is absolutely useless for user identification, authenticate,
or, well, much of anything really.
You could maybe maybe maybe find IP address useful as one of a whole bunch
of "indicators" in a rather complex system calculating the probability
that user X is the same as user Y, using (some of):
IP address
Browser headers sent (only some, though, as some change over time)
Cookies (can be forged)
Require an email (again, easy to defeat by itself)
Visual I/O [see above] (stops automated registration)
Actually, you could require half of a two-way encrypted key-pair, or a
"digital signature," but your average user is not gonna have any clue how
to do that... And that won't stop them from making two key-pairs, but at
least when you get the digitally signed token, you know they are who they
say they are, assuming the original didn't lose their key.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|