PHP sessions use cookies and only use URI based session IDs if the client doesn't support cookies.

brarydon, without using some form of authentication scheme, you can't do it reliably (and easily). Changing address, changing browser, changing anon proxy, etc.

Now if you want a very advanced solution (I got complained to before by not prefacing my ideas like this. ) check out the attached document, it discusses web cache based privacy attacks. You could search the user's cache for specific files, for example an image or script file that is only presented to a user after they make a post, this way you can tell if the user has posted on your site before.
What to do next depends on you, I would assign every post an identifier (PID) and then add the PIDs of offending users to a database. Each aforementioned cached files should be traceable to each PID. This way you can match the user's cache against offending PIDs. If the cache match turns up nothing you'll want to make sure the user didn't just dump their cache, unfortunately I cannot think of a good way to do this aside from checking for unique files (images prolly) from other sites (google, yahoo, sites related to yours, etc) they should have visited recently. While it is true that this may still result in a few false positives and can still be defeated if the attacker is careful and knows what to do... it is a solution that should deal with people at the level of needing to get themselves banned from message boards.

best of luck,


edited to add: IIS has the required functionality.