Ways to create a unique user fingerprint in PHP

Question

What is the best way to generate a 'fingerprint' of user unique-ness in PHP?

For example:

1. I could use a user's IP address as the 'fingerprint', however, there could be multiple other users on the same IP
2. I could use the user's IP + user agent as the 'fingerprint', however, a single user could simply swap from safari to firefox and again be seen as being unique

Ideally, the fingerprint so label the 'machine' rather than browser or 'ip' but I can't think of how this is achievable.

Open to ideas/suggestions of how you uniquely identify your users, and what advantages/disadvantages your method has.

Answer 1

Easiest and best way: use phps session-management - every client is given an ID, stored in a cookie (if enabled) or given as a get-variable on every link and form (alternatively you could set a cookie on your own). But, this only "fingerprints" the browser - if the user changes his browser, deletes his cookies or whatever, you can't identify it anymore.

Identifying every client by IP address is usually a bad idea and won't work. Clients that use the same router will have the same IP addresses - clients connected through a proxy-pool could have another IP address with every page load.

If you need a solution that can't be manipulated by the client in an easy way, try to do a combination of the following, using all that are supported by the clients browser and compare them on each page-load:

• "normal" HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in and reading out Web History
• Storing cookies in HTTP ETags
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

There's a solution called evercookie that implements all of this.

Answer 2

There's something else to take in account, the public IP Address of a user is something that also can change in every page load.
There are multiple organizations that switch public IP's in they routers to balance traffic.

Answer 3

Achieving 100% reliability is not guaranteed, but combining some common methods can give you meaningful results

• Users generally don't switch browsers. Over-complication in your algorithm only to reach engineering perfection is not worth the effort.
• You certainly belong to the top 100 websites if you can expect multiple users from the same IP. Don't take it personal, but you're just not that popular.

Take the simplest possible route that could work and adjust over time if it seems necessary.

Answer 4

I have three different computers, various handheld devices, and many of them have different browsers installed. I use all these interchangeably at home take them with me other places so, basically, on various IP addresses. What I'm trying to point out is that fingerprinting a browser or a machine for that matter is never going to be foolproof if your goal is to block a person.

I recommend you take a different approach. Judge based on the inconclusive information you have available that suggests the identity of your banned user (same IP or same user-agent if it's a uncommon one or else some of the javascript browser fingerprinting methods such as available fonts, available plugins, non-standard window size, etc.) and require of those suspect visitors some higher form of identity verification -- such as oauth with Facebook, Google+, or Twitter. Then you can look to see if that social media account is genuine or created just to circumvent. There are also phone verification APIs in case your user base isn't social-media savvy and depending on how valuable it is to you that users don't circumvent banning.