Results 1 to 8 of 8

Thread: Identifying machine uniquely by PHP

  1. #1
    Join Date
    Aug 2011
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default Identifying machine uniquely by PHP

    Hi,

    Is there any way so that a machine could be identified uniquely in PHP. I am making a voting site. And client's requirement is to vote from a machine once a day.

    1)Machines sharing same IP in lan should be identified uniquely.
    2)On the other hand when using a single machine one can vote from several browsers. It should not be done. Otherwise one can use the same browser to vote again and again deleting cookie sessions etc. It also should not be done.

    If there is no way to fix the above points then is there any alternative way to do the same.

    Thanks.

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    Short answer: no.
    Quote Originally Posted by Aniruddhya Hazra View Post
    1)Machines sharing same IP in lan should be identified uniquely.
    2)On the other hand when using a single machine one can vote from several browsers. It should not be done. Otherwise one can use the same browser to vote again and again deleting cookie sessions etc. It also should not be done.
    PHP cannot see past the IP (in fact, it can't "see" anything at all: any info about IP, client machine, browser, etc. is volunteered by the browser/user. And no one can "see" past a router: it's all the same to the outside world. In most cases, it's the ISP's IP address you get anyway, and they route to their clients from there, then you hit home/office networks, etc.).

    There are two issues at work here: basic network/IP structure, and privacy/security. You're not going to defeat either. There's also the fact that some computers are used by more than one person, and some people use more than one computer.

    The generally accepted solution is to use a unique identifier for each voter: such as email address, or cell number (such as in the case of text voting).

  3. The Following User Says Thank You to traq For This Useful Post:

    Aniruddhya Hazra (11-12-2011)

  4. #3
    Join Date
    Aug 2011
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    Thank you for your reply.

  5. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    To clarify one point: the IP address you get in PHP is reliable and is always there. That is the one piece of information that cannot be fake because that's where the server will send the information once PHP processes it. It may be for a proxy, for an ISP or anything else that isn't the client directly, but it is at least the first step toward the client and it is always accurate. (If it wasn't, they couldn't vote, so it wouldn't be a problem anyway.)
    That doesn't change anything, though: you'll still have one IP that identifies a certain computer and/or network, and that IP can change.

    I want to also add that voters can go to a different computer. At work, at school, at the library, or using their cell phones. It's not hard to get a new IP if you want. (From the same computer, it's a little difficult, but finding a new computer isn't hard.) And you might find several users who have the same IP, such as if they use the same internet café, are at the same school/office, or if they live in the same house (eg, brothers). So IPs aren't perfect. They'll work on average, but they're also very weak for security against anyone who understands-- so some users will cheat MORE because you're using IPs to stop them (by finding more computers to vote with).


    Although you can use emails to verify this, that's no guarantee either, but it does help. You'll still get some duplicate votes because many internet users have at least 2 email addresses. And they can always get a new free email account if they want. But it's a good start. A cell number is more reliable, but it's easy to use a friend's phone if it's important to you.
    The most reliable solution is to use user accounts such as at a forum (like here). Although someone could have many accounts, you could require 5 posts (for example) before voting, so that you would only allow each user to vote on time. It's a lot more work (for you and for the voters), but it's very reliable. (It's still not perfect, but it's close.)



    Finally, ignoring the "real world" problems, there is a way to do this in theory, or at least try it: by compiling a list of all of the information about a user you have available (browser info, IP, time of day, etc) you could attempt to determine which voters might be voting twice. It would be very difficult and still not do anything about the multiple computer problem, but in theory you would at least have more information and that might help. I wouldn't bother putting time/energy into this though.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  6. #5
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    Quote Originally Posted by djr33 View Post
    To clarify one point: the IP address you get in PHP is reliable and is always there. That is the one piece of information that cannot be fake because that's where the server will send the information once PHP processes it.
    In most cases, yes. But the IP can be faked just as any other piece of info you receive. It is true that there is almost never any reason for someone to do this: as Daniel points out, the user would be unable to receive a reply.

    In some cases, however, the reply is irrelevant: the user only wants to provide info, and doesn't care about the response. This usually only happens during an attack (DDoS, for example), so it's not something you really need to worry about in this case.
    Last edited by traq; 11-13-2011 at 04:41 PM.

  7. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    Are you sure? I don't have any particular knowledge about that kind of attack, but it seems like it would be very odd to have a fake IP.
    Here's why:
    1. I can imagine claiming you have a fake IP (something other than your own).
    2. If PHP gets the IP info like it gets the browser/language/referrer info, then that fake IP would be taken.
    3. But isn't every internet interaction traceable? So unless PHP is configured stupidly, it should at least receive the real sending IP, even if the other information send from it is wrong.
    Think of this like a man in a blue car yelling "my name is John, I live in England, and I'm in a green car." There's no way to verify any of the other information (it may all be a lie), but just by checking the source (a blue car) you know that it's not a green car, so the delivery method (eg, IP) cannot be faked.
    Now, that doesn't mean that you can't route it through another computer (a proxy), but you will receive the IP of some part of the chain, no? If not, then it seems like internet crime (what you see the FBI fighting in movies) is completely anonymous-- there's no way to tell where something came from except based on whether they told the truth.

    On the more practical side of things, the user did have to access your site to find the page and receive at least some information at their real IP address (or through a proxy). So I guess this could be a second usage of the site that just sends information, but one way to solve that would be to require two pages, the first that generates permission to enter the second (eg, a CAPTCHA), so that you know the user has received information at that IP.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  8. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    basically, if you falsify the IP, your response will get lost (sent to the wrong computer, and presumably "dropped" from there).

    The practical application of IP spoofing is very limited (usually attacks) and isn't something your typical user will know how to do (or even that it can be done, or in most cases, what you're even talking about). I don't know too much about attacks like this either, or connection tracing, but from what I understand - no, networks don't make, forward, or keep any record of the path requests take. (ISPs do from time to time, and it usually creates a big Privacy stir. I'm still mad about Charter Communications reading my requests and falsifying my responses.)

    The details of TCP/IP, privacy, anonymity, and network hacking give me a headache. Basically, all you will ever "know" is the IP of the last machine that handled your packet, and that's *if* the user doesn't spoof it.

    It therefore has very little relevance to the OP's question or any possible solution, but I think it's a good thing to know.
    Last edited by traq; 11-13-2011 at 06:41 PM.

  9. #8
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    That all makes sense. I'm still confused about how you could spoof "the IP of the last machine that handled your packet", so at the theoretical level it seems like the IP should be reliable (ignoring proxies and so forth), but you're saying that even that can actually be spoofed. I don't have any other info about it, but how then can the government track anyone by IP? If it's that easy to figure out, it seems like more hackers would do that. Or maybe they would need to receive some info, so the government can only track them when they are receiving info back. But something like streaming a video (often happens in movies/tv shows, eg, of an execution) apparently can always be traced, at least to the first proxy, by someone who knows what they're doing. [I'm well aware that trusting media representations of technology is a stupid approach to evidence for this, but that's really all I have to go on and it seems generally intuitive. But I guess if the packets are just floating around there's no inherent reason they're attached to where they came from, but maybe it's possible to tell based on the "direction" they're coming from, if you trace it backwards... So maybe IP isn't the real way they're tracked.]

    As for your ISP hijacking your connection, you're not alone-- Comcast does the same thing (and I know of no 'opt out' options, but I haven't looked). And the reason is fairly clear to me: they want to serve ads instead of 404 pages. This increases their profits. This is exactly the same thing as domain hosts that have parked domain ad pages when you haven't started using the domain yet (or those 'domain harvester' sites). As for a solution, I wonder if there is some way to set your router/computer to always consider that website (your ISP's 'search' page) to be a 404. That would be an indirect way to deal with it, but it would basically eliminate the problem. Of course it wouldn't actually prove that you're exiting the ISP server's into the world wide web.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •