Restrict the registration for a machine C#

Question

I have a web application that has form based authentication. the application has registration functionality also. Since last few weeks, i have observed that some users with specific domain is making fake entries into the website and getting the benefits as We do not have any approval workflow. this user either do it manually or run some script. We thought that we can restrict the registration process as per IP based, however this is not possible to get the visitor exact IP address using C# (please correct if i am wrong). Can we do it using some other techniques. our requirement is - single registration from a machine per 2 days.

Answer 1

unfortunately I would call this mission impossible.

Idea 1: IP address. The user can use a proxy to register multiple accounts depending on how many proxy he can find (there are a bunch on the internet for free)

OR they could just fake the ip package by putting a random ip in the header. Since all they need is to register so it doesn't matter if the confirmation message was sent to another random guy

Idea 2: one registration per machine. I could fake as many machines as I want with virtual machine and you will have no way to tell from http request.

Alternatively I could just fake all the information with raw http request and I can do that with a script with no issue.

And from what I know you don't have the system right to read hardware id from js (correct me if im wrong)

No method is guarantee to restrict 2 registration per day but IP based method should work against most normal users. Do keep in mind that everyone using the same router could have the same IP (example school, public wifi in apartment)

You could find out the user's IP address within HttpContext object

Answer 2

Whatever your restriction would be - it will be based on the data the browser sends (as long you restrict a specific computer). Your main desire is to create a "footprint" on that machine in order to use it later - per request.

Whatever your manipulation would be, you should also obfuscate your JS code. for example, on pageload code you can request for httpheaders dedicated to that machine and save them in cache, then you generate a guid for the client which it suppose to use in order to register.

another option is to use AES to encrypt the data before sending it "on the wire", that way you won't be able to manipulate it.

the most important thing is that once you "drop" a js code on the client he can do whatever he wants, the question is how hard it would be.

**edit: a more secured way but more complicated that i have once used is creating a sync-key. an async ajax call to the server requesting an encryption key. the server call will save the new guid-key in memory and will generate a new one for each request. you can use this idea to keep track of user debug and browser behavior. as debuging will hold the code from running the sync key will be change and you can "catch" him.

Answer 3

Neither cookies nor IP can protect against fake entries.

You should look at it from another side. You get unwanted entries and you don't know if it's an automated bot, or spammer, or someone who just doesn't care about your data. Instead of banning entries you should think how to validate them. For example, if you get "aaaaa" as a name and "bbbbb" as an email address - add, at least, regexp validation on client and server side to ensure you get data in a required format. Next level would be to verify the email address by querying the mail server or sending validation email. This will not only help to stop spammers, but also people who doesn't care. If you think it's an automated bot - add a captcha. In case of emergency - ban IP in the web.config (See ASP.Net How to limit access to a particular IP address to a particular page through web.config file (.htaccess similar)?)