2

I am an admin on a chatting website and we get a lot of abusers everyday, disrupting regular chat flow. We keep banning their IPs and they keep changing them with IP-changer software and proxies. Additionally, they always enter using "Private Browsing Sessions" (this is our deduction, because cookie-marking them doesn't work).

Is there any means to recognize their presence before they start their nefarious activities?

We have javascript (no AJAX though) and PHP5 at our disposal. I have read in detail about "Browser Fingerprinting". It sounds promising, but it incorporates a lot of values obtained solely through AJAX (screen res, installed fonts etc).

I would like to stick to standard PHP5 as much as possible, and non-AJAX javascript may be employed if necessary.

userbase:

  • 90% Windows-based
    • nearly 80% with windows 7 on portable devices
    • 10% on XP
    • 10% on windows 8
  • 10% Mac OS.
Félix Adriyel Gagnon-Grenier
  • 8,422
  • 10
  • 52
  • 65
Youstay Igo
  • 321
  • 2
  • 11
  • 2
    As you are describing your problem, seems that you haven't introduced registrations in your website (may be not required by you). But Registration and Login is the first aid to address this issue. – Ashwani Goyal May 12 '15 at 04:51
  • What are you already doing to prevent this? Do you have to register as a user? Using an email address as the username? Is the email address blacklisted when they are banned? Do you have to pass a CAPTCHA challenge? ... blocking IP addresses and fingerprinting browsers is not very effective, as it is relatively easy to spoof them. – Sverri M. Olsen May 12 '15 at 04:51
  • What do you mean by "no AJAX though"? – But those new buttons though.. May 12 '15 at 05:14
  • Capitalized proper nouns, deleted some extra words, and changed a few incorrect words. – tpie May 12 '15 at 07:51
  • www.desichat.org. It is simply a "enter nickname and go" type chatroom. Considering that members should have the choice of a new nick each time, I know it can be implemented with login systems too, but it will make it much more complex and we will risk losing users due to an extra layer of complexity. So far we are running with chat control consoles and staying vigilant. It's barely keeping things running though. – Youstay Igo May 12 '15 at 08:23
  • have you considered captchas? – Félix Adriyel Gagnon-Grenier May 14 '15 at 20:34
  • I formatted your question for some added readability, and a list. Lists are awesome. Good luck with that! – Félix Adriyel Gagnon-Grenier May 14 '15 at 20:37

2 Answers2

0

Obviously you should implement user registration if it isn't there already, with email address confirmation or oAuth validation. With pure PHP, as far as I can see, there is really very little else you can do. You can also try putting some data into localStorage (will require a little JS), not everyone knows about that yet so you might catch some low-swinging trolls that way. You can also make it so that people who don't have identifying cookies ('newbies') have to wait a while in order to join the chat. That way your established users won't suffer.

Must say, I'm really confused by your saying you don't have AJAX 'at your disposal'. What is AJAX except some JS that sends data to a PHP (or any other) script on the server? With AJAX you can auto-ban users as soon as they get, for example, five flags from other chatters. Without it you are really handicapped, because once the user starts the chat you have no other way of knowing who they are until they visit another page on your site, which with a chat application seems anyway less likely than usual.

Sidd
  • 1,389
  • 7
  • 17
  • 4
    Banning users based on flagging is a bad idea... don't give the bad guys more ways to f- with his website. – Sverri M. Olsen May 12 '15 at 04:56
  • Well obviously only established users should have that privilege, and/or it can be done based on the percentage of currently active users flagging a particular user. – Sidd May 12 '15 at 04:57
  • Ajax is not an option because the site already has a heavy hand with communication channels. Adding another one can affect members' chat experience.There are no "established" users, considering that no login system has been implemented on the chat. I guess there is still some hope with marking sober users with cookies (the bad guys would be using private sessions so they wont have any cookies) but it would still be a very slow process to mark an abuser and kick him out by member votes (not to mention, the hassle of implementing this system from scratch). – Youstay Igo May 12 '15 at 08:31
0

Why don't you try using $_SESSION variables to do the same thing as you were doing with cookies? I'm not at all good at banning people from a website but if it seemed to wrk with cookies, it should work with session. Check this out

Pranav Nutalapati
  • 684
  • 1
  • 7
  • 22
  • 3
    note that $_SESSION uses cookies, even if just for the session ID. – Mike 'Pomax' Kamermans May 12 '15 at 04:55
  • @Mike'Pomax'Kamermans I believe that session is server-side and cookies is client-side unless i'm mistaken? – Pranav Nutalapati May 12 '15 at 05:00
  • 1
    To _connect_ the server side session with a user you need a cookie or something else to identify the user. By default cookies are used. – t.niese May 12 '15 at 05:07
  • By default it's cookies, and the only other option normally available (query string arguments) is even less suitable for the task at hand. So I don't see how this is supposed to help. –  May 12 '15 at 05:15
  • I agree with Mike. If using cookies, the abusers would come in as fresh each time so there would be no way to filter out the new good guys from prevalent bad guys. And if a new session is started each time the whole idea of session would be futile as everybody would be starting with fresh sessions and there would no means to identify the abusers. – Youstay Igo May 12 '15 at 08:34
  • Sorry, my bad, but could you check if this makes any sense? [link](http://stackoverflow.com/questions/19082152/unique-id-for-a-device-with-php) – Pranav Nutalapati May 16 '15 at 07:19