Detect multi accounts via cookies
https://stackoverflow.com/questions/1993267
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to detect multi accounts in a browser game: If a user has more than one account, I want to know this.
For various reasons, I don't want to detect the multi accounts by comparing IPs anymore. Users can share IPs and IPs are easy to change. So this is not a good method.
Instead, I want to detect the accounts using cookies. Do you think this is a good solution?
<?php
$uniqueHash = md5($_SERVER['REMOTE_ADDR'].mt_rand(1, 100000)); // identify a single user
if (isset($_COOKIE['uniqueHash'])) {
// UPDATE dbTable SET uniqueHash = '".$_COOKIE['uniqueHash']."' WHERE id = x
}
else {
setcookie('uniqueHash', $uniqueHash, time()+3600*24*30, '/', '.domain.com', FALSE, TRUE)
}
?>
After that, I can select all users who have the same uniqueHash value from the database table.
Is this improvable? Or a totally bad solution?
What about flash cookies? They're better, right? But I can't use them when I have no flash on my site, can I?
Thanks in advance!
Solution
If you create log containing date for login, ip, hash and UserID - you might be able to get an idea if a user is a multi account or not. Detecting it automatically will be nearly impossible, if im visiting a friend of mine, I might login on his computer to check my account?
So log all the data, then have a "multihunter"-human look into if its the same player or not.
OTHER TIPS
Storing values into cookies is even worse than comparing ip's imho. Cookies are very easy to change/delete while changing your ip is much harder.
I think you're best shot is to have some basic AI solution which flags suspicious accounts. So multiple logins with the same IP at the same time (could be IP sharing or multiple browsers at the same time) is something the AI should pick up. Also look at logouts and logins from the same ip with different accounts in a short notice. Try to lookup hostnames and use that as well since DHCP of ISP sometimes gives clients a new ip but the hostname stays the same.
The point is that there is no solution which is based upon one piece of information.
Btw, another solution that comes to mind is to let users confirm their account by sending an SMS of letting them pay a very small amount (like $1), in that case it is not attractive to register many accounts.
