Jacques wrote: > How can I ensure that a user is prevented from creating a second profile > after he has registered a second time with different registration details? You can't. Not totally. You could send them a Cookie, and hope they're not smart enough to delete it before they re-register. You could ask them for a valid email address, and require them to get an email from you at that address before moving forward, but with free email all over, that's not much help. You can prevent wide-spread scripted abuse by requiring them to identify a random set of characters in an image, possibly semi-obscured by "noise" in the image background. I don't think any of the scammers have glued in a usable OCR yet to defeat that, though it may only be a matter of time... I guess part of the answer really depends on how Serious you need to be about this: Are you just trying to avoid people making the mistake of coming back a year later and re-registering without realizing they are already registered? Or are you trying to build an election system for your government? Somewhere between the two? What seems like a simple idea -- uniquely identifying the user -- is actually IMPOSSIBLE to be 100% sure, and downright difficult to even make a valiant attempt at it. > I thought of capturing his IP Address and checking this value against my > users table in my database where I have captured IP Addresses of users who > have previously registered. Forget that. AOL users will change their IP address more often than drummers change their underwear -- sometimes mid-session. And a large corporation like IBM will have everybody in one location behind a firewall with a single IP address. IP address is absolutely useless for user identification, authenticate, or, well, much of anything really. You could maybe maybe maybe find IP address useful as one of a whole bunch of "indicators" in a rather complex system calculating the probability that user X is the same as user Y, using (some of): IP address Browser headers sent (only some, though, as some change over time) Cookies (can be forged) Require an email (again, easy to defeat by itself) Visual I/O [see above] (stops automated registration) Actually, you could require half of a two-way encrypted key-pair, or a "digital signature," but your average user is not gonna have any clue how to do that... And that won't stop them from making two key-pairs, but at least when you get the digitally signed token, you know they are who they say they are, assuming the original didn't lose their key. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
