How to recognize 2 PCs with same IP and browser(version)

Question

I want to give a "like" option on my page for non-logged users.

The simpliest thing would be to detect user IP ( e.g. by $_SERVER['REMOTE_ADDR']).

More sophisticated would be detecting user's agent (e.g. by $_SERVER['HTTP_USER_AGENT']).

But I want to give like-posibility for "each PC in family" (real-life family) - this could also mean they all have not only the same IP, not only the same browser but also the same browser-version...

So how would I determinate whether it is a different PC? (without using cookies/session)

I want to store one "like" per PC and since cookies can be cleared I didn't want to use them :)

I wanted to abstract my particular interest from the whole problematics - so I did.
However you should never trust user input (as David pointed out) - so do not base your final like-count on just that ! At least put a likes/per IP limit and combine it with cookies/session.

Why do you not want to use "cookies/session"? That is the standard way to achieve your goal. — leftclickben, Oct 15 '14 at 12:09
If you don't want to use cookies you can't do it. unless your website has a single user logon system and you lock all users to a single vote each so if they've used it once they can't use it again. — Dave, Oct 15 '14 at 12:11
There is no effective way to track "a PC" like this. You can, however, track "a user" by having an authentication system. — David, Oct 15 '14 at 12:13
@David you just summed up my long answer in two sentences :-) — leftclickben, Oct 15 '14 at 12:17
My question STARTS with "non-logged" users, so I will repost this little comment of mine :) : This should be "public" likes - no login required, if I would want to make one like/per account *I wouldn't be asking this question at all* :) — jave.web, Oct 15 '14 at 12:20
@David Sorry, but there are ways to track PCs like this. It's called "fingerprinting". See my answer below. — BA_Webimax, Oct 15 '14 at 12:25

score 2 · Answer 1 · answered Oct 15 '14 at 12:16

You can use sessions without using cookies. When the user logs in, they get a token, and this token is appended to every URL they visit. (In PHP you can see this if you disable cookies in the browser, you will get "PHPSESSIONID" in the URL). So, if you make users log in before voting / liking / whatever, then you can achieve this using sessions but not cookies.

If you are talking about public users without a login mechanism, then there really isn't any way to achieve this, unless you set a cookie recording the fact that this browser has voted.

Note however that not only can cookies be deleted, but it won't actually achieve what you want unless everyone in the family uses a different browser or has a separate login on their operating system. Otherwise they are effectively all the same user as far as you can tell. Also people can use multiple browsers so one person could vote / like more than once anyway.

score 2 · Accepted Answer · answered Oct 15 '14 at 12:23

2

Your only option to do this outside the simple methods of using cookies, logins, etc. is to do browser fingerprinting. This technique involves gather a variety of information that the browser outputs to the server/webpage and making a hash of it to create a unique ID for that client. It has a remarkably high accuracy and would work fairly well under the circumstances you are describing.

It is based on the idea that "no two browsers are exactly the same". In other words, you look at screen resolution, user agent strings, active plugins, etc. and create a "fingerprint" of those settings. There is almost always going to be a variance in some way.

There are available libraries that can help get you started. Here is one that is very easy to implement and understand... https://github.com/Valve/fingerprintjs

answered Oct 15 '14 at 12:23

BA_Webimax

2,714
1
13
15

`"screen resolution"` - I'm doubting the "remarkably high accuracy" of this method. It seems that the more metrics used to calculate the "fingerprint" the more options any user has to *change* their "fingerprint", even accidentally. – David Oct 15 '14 at 12:25
Yes, yes, yes - I actually meant something like this :) Thank you :) – jave.web Oct 15 '14 at 12:25
@David Read before you comment... https://panopticlick.eff.org/browser-uniqueness.pdf And keep in mind the idea that people can change stuff really doesn't play out in reality, but also explains the less than 100% accuracy. The vast majority of people can not and will not ever change anything. Fingerprinting isn't perfect, but it is more than effective enough for the masses. – BA_Webimax Oct 15 '14 at 12:28
Interesting paper. Section 5 is worth a read. (You know, *before* you comment and all...) @jave.web: Something to consider depending on the time metrics of your application (not specified in the question). If users come back to the same set of "likable" things after any significant amount of time, the reliability of this seems to drop pretty drastically. Potentially not a problem if data is "Twitter-like" and constantly changes, quickly fading into antiquity. Potentially more of a problem if data is more "Stack-Overflow-like" and preserved for posterity. – David Oct 15 '14 at 12:42
@David very good point - will consider removing the time part :) (&& will use IP limit anyway) – jave.web Oct 15 '14 at 13:23

score 1 · Answer 3 · answered Oct 15 '14 at 12:10

1

Detecting the User Agent can easily be spoofed; so it isnt a reliable way. The best way to do this is sessions or cookies. Why do you not wish to use them?

answered Oct 15 '14 at 12:10

Bowersbros

3,438
2
18
24

score 1 · Answer 4 · answered Oct 15 '14 at 12:11

1

Short answer: you can't.

Remember, each request to a web server is a new event. Cookies are the only way to persist data between calls. So if you rule them out you really can't differentiate them. This is a major reason why Google puts long life cookies on their site.

Can cookies be deleted? Sure. But they're really the only option you have.

answered Oct 15 '14 at 12:11

Machavity

30,841
27
92
100

So are you suggesting to make an over-all limit for per/IP votes? – jave.web Oct 15 '14 at 12:13
No. The best solution is to use a login with sessions. One vote per account. – Machavity Oct 15 '14 at 12:15
This should be "public" likes - no login required, if I would want to make one like/per account *I wouldn't be asking this question at all* :) – jave.web Oct 15 '14 at 12:16
1

Then the first line of this answer is all you need to know -- you can't do it (without cookies). – leftclickben Oct 15 '14 at 12:18
@jave.web: You're defining conflicting requirements. "I want it to be public (so anybody can do it at any time)" and "I want to track it (so users can only do it when I allow them)" are mutually exclusive. You either want to track users or you don't, there's no middle ground that allows you to track them without tracking them. You can perform *some* non-authentication tracking (IP, cookie, session) but it's not bullet-proof. Any user who *wants* to circumvent it can. – David Oct 15 '14 at 12:21
@David If you put it that way ... :) I just thought if I can track IPs I could also track something like a "factory number" of a browser :) – jave.web Oct 15 '14 at 12:24
1

@jave.web: If that browser sends you such information, sure. But any way you look at it, you're talking about tracking information that comes from the client, not from the server. And any information that comes from the client can be spoofed/omitted/etc. It's simply not reliable. "Never trust user input" isn't just about SQL injection, it's about everything that comes from a client. – David Oct 15 '14 at 12:27
Don't worry, of course I won't use it "as is" - this will be just a helper mechanism, but it is a great point for newcomers (+1) :) I just wanted to abstract the particular problem :) – jave.web Oct 15 '14 at 12:29

score -1 · Answer 5 · answered Apr 29 '17 at 06:42

You cannot give a single identity to a PC. Cookies can be cleared. User logins can be done from different computers.

$ip.$http_user_agent will not work. User may restart the modem and ISP might assign a new IP. Or use a different browser to change $http_user_agent. Or another system on a LAN might have the same $http_user_agent.

What is the significance of giving one "like" per PC (provided you are able to even identify a PC correctly)? What if two different users with different tastes use the same PC?

How to recognize 2 PCs with same IP and browser(version)

5 Answers5