how reliable is $_SERVER["REMOTE_PORT"] in determining user device?

Question

I am creating an anonymous online poll, I can eliminate some duplicated votes by using browser fingerprint. but I still worry about what if a user changes his browser and votes again. So I am trying to find out an effective device fingerprint to solve that problem. obviously ip is not an option, because my targeted users might be at school sharing the same ip with classmates or live in an apartment sharing ip with room mates.

I was experimenting with $_SERVER["REMOTE_PORT"] and discovered that $_SERVER["REMOTE_PORT"] would stay in a relatively consist range on the same device no matter what browser I'm using and it is always increasing. For example, on Mac 1, my port is in the range of (58100,58200) during an interval of 10 minutes no matter what browser i'm using, similarly on Mac 2, the range stays in (49200,49300) for about 10 minutes no matter what browser I'm using. I also tested it on iphone and the range for that is (50100,50200). so I wonder if using $_SERVER["REMOTE_PORT"] together with fingerprint could prevent duplicated votes in a short period of time from the same person on the same device? I also want to mention that all above experimenting were done in a local network. so do you have any better solutions? or you think this could work in a production server?

Answer 1

There is NO reliable way in determining user device. Period.

Answer 2

Might want to consider e-tag and/or cookie tracking if tracking users for a short time.

Etags are an ID intended to track image caching, but if you deliver a different e-tagged image to each user its effectively a transparent cookie (deleting cookies alone won't clear it you must also delete the browser cache)

the e-tag solution is to long to effectively post here so heres a git example. https://github.com/lucb1e/cookielesscookies (I'm in no way related to this git)

using all 3, e-tag + browser fingerprinting + cookies is the most reliable way I've discovered to track anonymous users.

However since cookies and caching is browser specific these techniques can be circumvented simply by changing browsers or using the 'incognito/private window' on newer browsers. A sophisticated user may also use anonymizing proxies or the tor browser to completely bypass all attempts at user tracking.

The only people who can reliably track a user is the ISP. (the FBI/CIA ask for the ISP logs for this info when investigating a hacking attack.)