: How to check if person doesn't have multiple account? I have two users in my website with the same IP. I asked them or him, idk, why does he have 2 accounts. He said that other account
I have two users in my website with the same IP. I asked them or him, idk, why does he have 2 accounts. He said that other account is owned by his roommate. His roommate uses other computer in my website.
So, my question. How can I detect whether he lies or tells truth? I can check if both browsers the same or not. What else?
More posts by @Bryan171
The actual answer is no you can't!
Sure there many things to simulate it. But think of the user uses the other persons computer/account or even browser!
You can modify local IP addresses, cookies, http-headers, java-applets or all other clientside things.
Most sites who want this has limits of accounts per IP-address.
You also may try to filter the multi-accounts by checking for suspicious activities, but that may also not be of much help, since it would be hard to distinguish friends just working together.
All in all, this is a problem to which no effective solution exists.
It is almost impossible to make 100% sure 2 user are the same person, what I would recommend would be to negate the benefit of having 2 account.
Example : if your site give referral bonus (in the case of a gaming website) you could track IP, log on date, sign up date, hashed password, similarities in email, those factors usually allow to find multiple account users.
If there is personal information in a typical user's account, like a CC number of a personal detail that is not meant to reach someone else's eyes, then in the edit account page make that personal detail available. No two people will ever wish to share accounts if they knew the other could access their personal data.
I don't think you can use technology to resolve such issues, a hacker will always find a way to out-smart you. However, if you have a CC on file, add a link on your user's back end that allows them to purchase of flowers with a single click and mail it to anyone -- and watch how your double-accounts will disappear as no one will want one of their friends to order flowers with their CC.
I am guessing that in your case having multiple account could be used to gain unfair benefit, otherwise it would be good that you clarify your situation.
The approach that you should take in that case is to detect suspicious pattern between the account rather than try to detect if it's the same personn. Depending on what your website is about, the pattern can change a lot. Stack Overflow does this to prevent gaming the system.
Or require all of your users to link their accounts to a Facebook account. Since Facebook's terms of service prohibit multiple accounts, you can then push enforcement of the policy off to Facebook, who probably have more resources than you do.
The network that the user is on might set the X-Forwarded-For http request header, which would allow you to log the private original IP address as well as the public IP address from which the request comes. You could then see if there are two different private IP addresses. But it won't work if they're just behind a NAT router, as that won't set X-Forwarded-For.
You just have to live with this. Design your site so it would no matter. In SO if someone uses more than one account it just divides the reputation betwen them, so no incentive to do so.
Design your interaction in a way that gives no incentive for multiple accounts.
You could use a Flashapp to take a picture of the user via webcam while login, and compare them... but the user would have to agree with this and can wear a mask or something. (I'm afraid what Face/Off-like-ideas @Quassnoi will get.)
Testing the User-Agent string will do you no good. Likewise client-side storage or cookie solutions are not an option if the same user utilizes different browsers. The only option to discern different clients in the local network would be a Java Applet which reads out the network-local address.
E.g. www.rgagnon.com/javadetails/java-0095.html But that's quite an overkill solution, and can fail due to security restrictions, or if none of the two browsers (or users) has Java enabled.