When visiting a public messageboard, how can a site track its visitors? On a computer with cookies disabled, dynamic ip domain masks, how can the computer be tracked for repeat visits and post content?
Printable View
When visiting a public messageboard, how can a site track its visitors? On a computer with cookies disabled, dynamic ip domain masks, how can the computer be tracked for repeat visits and post content?
Perhaps you may need to start blocking entire subnets..
Can kill forum traffic but as they say....Thats the breaks.
That's a possibility. Would that be done on the web server (IIS, in this case)?
You might want to look at server side sessions. This technique is used in PHP and can be a method of tracking users. Is this question, however, about blocking users or keeping track of them as far as what posts they have read or what they have posted?
Initially to track what they've posted (what they are reading is interesting also). Then blocking if they are continually posting objectionable/off-topic messages.
Two seperate processes then. IMHO, I'd use the server side sessions to keep track of users who don't use cookies and to avoid cookies usage in general.
Then to deal with users who do "no-no" things, I'd put in place specific bans through firewalls and/or local files that deny access (I'm think *nix and the hosts.deny/hosts.allow files). Start with specific bans based on IP and go broader if it becomes more problematic. Lastly, you may need to consider switching to a username/password login to limit who has access if they become specifically caustic.
If you're running Apache, you may also want to consider the Deny directive as supplementary to the hosts.deny/hosts.allow option. It can be placed within any .htaccess file, or within a <Directory> directive in the main configuration. For the sake of keeping it manageable, you'll probably want to go with your Deny directive.
If IIS has such a mechanism, I'd need to deny an entire subnet?
I'm looking though IIS now for this option.
Many thanks.
Great site.
So, we disable subnet, short of going to another network, what can a determined user do to get on the messageboard anyway?
the determined user could use a proxy..
if the user from the usa would use a proxy say in germany he'd have an entirely different subnet..
PHP sessions use cookies and only use URI based session IDs if the client doesn't support cookies.
brarydon, without using some form of authentication scheme, you can't do it reliably (and easily). Changing address, changing browser, changing anon proxy, etc.
Now if you want a very advanced solution (I got complained to before by not prefacing my ideas like this. ;) ) check out the attached document, it discusses web cache based privacy attacks. You could search the user's cache for specific files, for example an image or script file that is only presented to a user after they make a post, this way you can tell if the user has posted on your site before.
What to do next depends on you, I would assign every post an identifier (PID) and then add the PIDs of offending users to a database. Each aforementioned cached files should be traceable to each PID. This way you can match the user's cache against offending PIDs. If the cache match turns up nothing you'll want to make sure the user didn't just dump their cache, unfortunately I cannot think of a good way to do this aside from checking for unique files (images prolly) from other sites (google, yahoo, sites related to yours, etc) they should have visited recently. While it is true that this may still result in a few false positives and can still be defeated if the attacker is careful and knows what to do... it is a solution that should deal with people at the level of needing to get themselves banned from message boards.
best of luck,
catch
edited to add: IIS has the required functionality.