I've seen the following Question : Implementing "Report this content" and detecting spammer or robot triggered event, but it doesn't quite answer all I need to know about setting up a "Report this content" function.
My situation is very similar (users not needing to login to be able to report content) but I'm unsure what I should capture about a user to ensure that they are not reporting a single posting multiple times.
I thought the most obvious one would be IP address but I heard that mobile users can sometimes find themselves all sharing a single IP address when the users are close together.
This means I need something else as well.
The Question above mentions user-agent but it doesn't sound too far fetched that multiple iPhone users could be sharing the same IP address, so even with IP address and user-agent it still isn't unique.
What if I logged their IP address and their session ID?
Would that be a good compromise or can anyone suggest a better option?
Thanks
Related
I am looking for a solution to stop multiple sign ups on an upcoming websites of mine, but I am looking for different alternatives besides IP saving and tracing that.
So I was thinking about computer ID saving on the server. Is that possible?
No, that's not possible simply because this information is never sent on the network. The only information you could reliably get from a user visiting your website is his IP address in addition to the standard HTTP headers which might or not contain information about the UserAgent he is using, the language he configured in his browser, ...
A friend of mine showed me a website recently where a person could vote for something. There was no login required, but when I tried to vote more than once (per day), the web site knew. What are possible ways for this to be done?
My first thought was IP address, but I don't think that would work. If I'm in a large office building, work, or public wifi (starbucks, airports, etc) wouldn't it be the case that only 1 person per shared IP address could vote?
What if I drove around the city voting with my phone. If the website were to simply log IPs, wouldn't I theoretically be able to vote once for every cell tower I was close to?
If cookies were used, wouldn't it be possible to disable cookies and vote infinitely?
What mechanism is used to create this type of behavior?
Almost certainly done with a cookie.
It probably tests first that cookies are enabled, and only then lets you vote.
Try voting twice using two different browswers.
I have a client who has a crimestoppers' website. They want to provide visitors a means to submit anonymous crime tips, which would then be forwarded to a pre-established email address at the local police department.
What is the best / easiest way to accomplish this? The sender's IP address needs to be hidden. My client also needs to be able to pull reports showing how many tips were submitted and forwarded.
Many thanks!
A simple contact form can be used. It's up to the developer's trust to hide the IP. The submitter won't see anything what is being done using PHP.
You can then update a database with the tips being posted before sending the mails.
In terms of development, you can use a plugin such as Contact Form 7 and then use its hooks to save the tips submitted before sending the mails.
While it is rather simple to set up a contact form that submits to an email address (just use the excellent ContactForm7, as rrikesh's answer suggests). However, getting anonymity right (especially against a party that has as much power and resources) is tricky. You need to be clear about the level of anonymity that you can provide. Log files, document metadata or your ISP can easily give a lot of information away.
Here are two project that have different approaches. They're both not ready-made solutions to your question, but still relevant:
PrivacyBox:
This is a web service run by the German Privacy Foundation. It's basically a message relay like the one you want, except that the user has to trust the Foundation, not you. This model highly depends on the institution providing this service. I'm sure there are other, US-based services like this.
Briefkasten:
An open source software tool used by the German newspaper Die ZEIT.
a reasonably secure web application for submitting content anonymously. It allows to upload attachments which are then sanitized of a number of meta-data which could compromise the submitters identity. Next, the sanitized files are encrypted via GPG and sent via email to a pre-configured list of recipients. The original (potentially 'dirty') files are then deleted from the file system of the server. Thus, neither should admins with access to the server be able to access any submissions, nor should any of the recipients have access to the unsanitized raw material.
This is an attempt to automate the crucial steps to strip any identifying data from the submission and encrypt it, so only the intended recipients can access it.
You would have to host this yourself, though. And it's a Python app.
I want to prevent users from voting more than one time in my website, I used two methods to do that, but no one do that well !!
using cookie.
the problem : users can delete the cookie and return to vote again and again ..
using database table.
The problem : users shouldn't forced to register in my website !
So, How i can solve this problem ?
You have your two answers, you need to decide which is best. No option is going to be bulletproof. It's all about slowing them down, and what level of effectiveness is acceptable for you.
A cookie is generally the acceptable way to do this. Yes, cookies can be cleared, but if the desire to prevent duplicate voting is that important, than registration is the only effective way to prevent it. Any other mechanism could probably be beaten by those that want to. You could use something like Evercookie, but I don't generally think it's a good practice to do so. If you make your registration process simple, but effective, some users will do that.
An IP address is just as flawed as most redisential IPs are not statically assigned. Someone could reset their modem, and get a new IP address. Or worse, someone could reset their modem, get an IP address that has already visited the site, and be unable to vote. Another scenario is users behind NAT. If 200 people are sharing an IP with NAT, then only one of them will be able to vote.
You could get creative with the IP address though. Keep using the cookie, because that will be effective. If you start detecting multiple votes from the same IP address (because they cleared their cookies), display a CAPTCHA. If it isn't someone trying to abuse the system, then they still get the opportunity to vote. This will help defeat automated voting, and slow down users enough that abusing your voting system isn't worth their time. This as well, can be defeated, it's what level of effectiveness is acceptable to you. Even registration isn't purely 100% effective, but probably the most effective. What would stop someone from registering many times with different email addresses?
I dont think you have many options as you are not forcing users to register. You need to use session or cookies. As pointed out in comments you can also check the IP Address. But if intended audience uses dynamic IP address assigned by their ISP, then this solution also failed.
If possible you can ask user to registered with their facebook/google id, like stackoverflow is doing
There isn't an infallible way to accomplish what you want from a web application and specially without requiring users to register.
This site (Stack Overflow) does it right, by registration. IP is a really bad idea because all the folks behind a proxy/server can't vote. Most folks have mulitiple browsers, you don't even need to delete the voting cookie to vote again, just use another browser. As mentioned, OpenID is the lowest impact + highest security route. They can get around that via multiple accounts.
So, the Web application I'm working on allows input from anonymous users (and their participation in the flagging system).
As for the spamming issue, would it be enough to use the honeypot method or is an image CAPTCHA (e.g. reCAPTCHA) necessary in this case?
For the flagging system, if I want to let anonymous users to "flag" posts, it's not enough to allow a flag (per post) per cookie because they have control over the cookies (and could bypass this prevention). I should allow ONLY a flag per IP then, right? I know that this method would prevent users that share the same IP (yeah, corporate networks, etc.) to flag to the same post, but there is no other way around it, is there?
How can I ensure anonymous users' anonymity? By this I mean, how to prevent their posts to be "tracked" (if this is even possible). I know that every server has a log of every connection, so, is it possible to hide theirs?
Any help would be greatly appreciated!
Honeypots are useless if your site is popular, because then people will write custom bots for it. For the flagging, you can limit it to one per cookie, and rate-limit it by IP. That way, people on corporate networks, etc. will be a little inconvenienced but not completely out of luck.
It's completely up to you what you log and how long you keep them. By default, the request IP may be logged, but you don't have to log it. Most sites do, but the real difference is how long they keep it.