可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
Context
I am developing a survey website where anyone can vote once. Obviously I have to prevent multiple registrations for the survey to remain relevant. I force every user to login with their Google, Facebook or Twitter account. But they can authenticate 3 times if they have an account on each, or authenticate with multiple accounts on the same platform (I have 3 accounts on Google). So I thought to store their IP address, but they can still use a proxy. I could keep the HTTP User Agent with PHP's get_browser(), although they can still change browsers. I can extract the OS with a regex, to change OS is less easier than browsers. And there is also geolocation, for example with the Google Map API.
Questions
- How to prevent multiple registrations? What kind of test can be done?
- How to embed these tests? Execute in what order?
- Have you already deploy this kind of solution?
回答1:
You can verify user by mobile phone, by sending text message with some code to it. This will limit votes count to count of mobile phone numbers owned by user.
回答2:
The only way to be absolutely sure is to use something that uniquely identifies a person such as a serial number (social security number) or a hardware identifier (RSA key). The next best thing is to require a credit card as that usually identifies the first and last name. All other attempts can be easily broken (ie 2 phase authentication with a phone number, geolocation, etc). Headers sent be the browser can be easily spoofed (geolocation, IP address, user agent are all headers), and as you mentioned it's very easy to create multiple Google/Twitter accounts.
回答3:
Those tests you mention can help prevent some users from registering multiple times, but a determined user will be able to circumvent these measures if they really want.
They can create multiple accounts with Google, FB, or Twitter, spoof their user agent easily with browser plugins, as you said, hide behind large amounts of proxies which also defeat geolocation.
One other thing you could do is add proxy detection, and try to prevent registration/voting if you think they are behind a proxy.
回答4:
How about requiring a valid email address from domains (or TLD's, such as .gov?) that only grant one email address per physical person?
Just making a suggestion here, it might not be feasible if you must literally allow anyone to vote.
回答5:
First off you need to somehow uniquely identify the user. Some things you've mentioned are:
- Email addresses
- IP addresses
- HTTP User Agent
All of the above are easy to spoof:
- One can create several mail accounts
- Proxies. Someone purposed to try to find out if a person is behind a proxy but you wont find the users with elite proxies that are available. Another problem is that there may be several users sharing a single IP.
- User agents information can be altered
Something that uniquely identifies the user is the SSN. The problem is that it can somewhat easily be faked since there are several generators on the net.
The problem is that it's really really hard to verify that's a person really is the person he or she claims to be. The solution would be to make it as hard as possible for the user to make several votes (if it's not crucial to be a single vote).
This can be solved by using for example verification by SMS. It's kind of hard / inconvenient for the user to get by several phone numbers to use.
回答6:
Most likely you will have to make some compromise. Making 100% certain that your users are different people will be nearly impossible. One reasonable approach is to use a service like Twilio and require your users provide a unique phone number that your site can confirm with a simple phone call.
You will probably also want to make it inconvenient to use multiple accounts. In your case, you could use a captcha in your voting process so that the votes can't be entered by an automated system. This way, even if somebody has 10 or 50 phone numbers, they have to put forth significant effort to alter your results meaningfully.
回答7:
I would start by allowing only one email to be registered on the website.
Then you should maybe look at allowing votes once from each IP. This may not be viable as its obviously going to block potential voters behind routers.
You could check the User-Agents of each voter to try and find discrepancies.
Anything unique to a user should essentially be checked, although you may not be able to fully validate a user server side.
As already suggested using phone numbers is also another way of reducing spam voters.
回答8:
Requiring users to telesignin to an account seems to be a pretty common way to prevent bulk registrations. There are a few companies that provide these services.