1

I know you can get the users IP address with PHP but are there any other tips/tricks/scripts that can be used to identify the user in other ways?

benhowdle89
  • 36,900
  • 69
  • 202
  • 331
  • 4
    Identify how? For authentication, advertising tracking, personally? – Rup Nov 26 '10 at 10:22
  • IP's are unique identifiers (at the time of access). What more could you need? – jwueller Nov 26 '10 at 10:25
  • At the moment i'm creating an inter-office company admin site (like Small Business Server's companyweb page) i was curious in ways i could display information about the user, ie. location or computer hardware (a long shot i know), more for fun at this stage rather than advertising, etc... – benhowdle89 Nov 26 '10 at 10:25
  • `$_SERVER['REMOTE_HOST']` perhaps. – Treffynnon Nov 26 '10 at 10:26
  • 4
    @elusive that is not true. Hundreds of people can have the same IP address at the same time. – Jan Hančič Nov 26 '10 at 10:28
  • 1
    You could auth the users against an Active Directory if you are running SBS? You could then pull more details about the user out of the AD. – Treffynnon Nov 26 '10 at 10:28
  • 2
    @Jan Hančič: Let me correct that: IP's are unique in terms of network topology. – jwueller Nov 26 '10 at 10:29
  • @Treffynnon thats the sort of thing i'm after i wouldnt even know where to start with this!? Could i still use PHP or would i have to use ASP, etc...? – benhowdle89 Nov 26 '10 at 10:34
  • 1
    @Rup I think you mean 'Identify why?' – fredley Nov 26 '10 at 10:34
  • @benhowdle89 There is a fair bit out there on the topic: http://www.google.com/search?q=php+active+directory – Treffynnon Nov 26 '10 at 10:37

4 Answers4

3

There are polls and contests on the website my company is building, and anonymous users are allowed to vote once per day. The suggestions as how to resolve this were:

  1. authentication via e-mail confirmation (send an email with a unique link to click)
  2. IP address
  3. cookies

The e-mail can't fail, but a user can have many email addresses, plus, it's troublesome (fill in a form, open email, click a link - many people are deterred this way).

The IP is not reliable because ADSL users often have a different IP each time they connect to the internet (at least with my country's biggest ADSL provider). Plus, proxies are a problem.

Cookies can be easily cleared/disabled, plus, a user would be allowed to vote many times if s/he had more than one browser installed. If cookies are set via JS, JS-disabled browsers are also immune to this.

We decided that the mix of #2 and #3 was the best tradeoff, but there's no perfect way.

mingos
  • 23,778
  • 12
  • 70
  • 107
2

It is unclear whether you are or not running SBS and Active Directory/LDAP system but that would give you a way to pull out more information about a user based on their Windows login. There is a lot out there on the web on this topic:

$_SERVER contains information on the browser the user is accessing the site with: http://php.net/manual/en/reserved.variables.server.php

You can also use getbrowser() to parse that information into human readable form: http://php.net/manual/en/function.get-browser.php

Community
  • 1
  • 1
Treffynnon
  • 21,365
  • 6
  • 65
  • 98
0

Well, ultimately, the best way to identify them would be to set-up an authentication system and have them login.

Alternatively, you could attempt to identify users based on a bunch of different pieces of data, for instance their IP and browser they're using (ie. if userip = ip && userbrowser == browser ... ) - this is all too easy to circumvent, though.

Check the $_SERVER global for any other data that you could compare against.

I would highly recommend implementing an authentication system though - this is the best way to identify users.

xil3
  • 16,305
  • 8
  • 63
  • 97
0

If it's for an internal only website then you could use ident - see also RFC1413. There are PHP based implementations out there (try google). Note that this requires that the client is running an ident server which is accessible from the webserver where your code is running. You don't say what OS the clients are - there are ident servers available for Linux, Unix, Apple Mac and MSWindows. Note that ident responses are not authenticated and can (relatively) easily be faked.

Microsoft's solution to the problem is NTLM - but that's a PITA to manage properly.

symcbean
  • 47,736
  • 6
  • 59
  • 94