I need a simple user identification system for the purpose of allowing/prohibiting an action.
This is not a high-security requirement and it is ok to make mistakes (eg same user will execute non-allowed action using different browsers).
To be less abstract, let's see at the StackOverflow voting and assume we want to allow voting by public audience, but only once.
The simplest thing that can work - is using a cookie: set a new cookie per answer; store all votes in one cookie (or combine these somehow).
This is a bit unreliable due to the limitations of a cookie size/number. It will also sent the cookie to the site all the time, while it is only required on 1 action.
So from this perspective I would like to avoid using cookie.
But don't see a better of doing this over a regular HTTP. I don't consider IP/MAC address etc.
So, with the context above, the questions is: how to anonymously identify a user and store that information on the client?
Thanks.
You can identify anonymous website visitors by using website visitor identification software that translates their IP address to a company name. Once you know who is looking at your website, you can proactively contact them and turn them into leads.
User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier.
What is an Anonymous User? Anonymous User is any user who accesses network resources without providing a username or password. Some Microsoft Windows Server applications like Microsoft Internet Information Services (IIS) can be configured to allow anonymous users to access their resources.
Anonymous user authentication enables users to log in to SGD without using a user name and password. As users are anonymous, SGD assigns each anonymous user a temporary user identity. The user identity is only effective while the user is logged in. Anonymous user authentication is disabled by default.
Anonymous user identification can certainly be done (and is being done) with a fairly high degree of accuracy. Rather than reprint the methodology here's a bit of reading that will lay it all out.
First is an old bit by the EFF regarding the mathmatics of user privacy (specifically the entropy behind your data) on the internet. Certainly optional, but it expresses the model that we're looking at. You can skip this if the math behind identification doesn't interest you.
http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy
Basically taken in a nutshell: using just the browser-agent, IP address and other data published in one of their examples (panopticlick) http://panopticlick.eff.org/ you have a very high likelihood of uniquely identifying a user (as long as it is the same machine) without the need for cookies. Additional information regarding their research into browser detection and uniqueness is available here:
http://panopticlick.eff.org/browser-uniqueness.pdf
Visit the panopticlick page and give it a test. It will show you what to look for (and give examples and source of how to go about it) while the .pdf will detail the uniqueness and specifics of the fingerprinting method.
My system configuration, for example, is unique among the 1,301,578 total tested with 20.38 bits of identifying information (reduction of entropy). Given their research, you will have an accuracy of 94.2% and 99.1% in identifying users between visits without the use of any client side tracking.
Store a small unique identifier on the client side as a cookie, then use that identifier to look up whatever related session data you need on your server's side.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With