Obtaining Unique Id's For Visitors

[dodgyrecordings]

Hey, I'm designing my first "real" webpage at the moment, the data manipulation side is FINALLY done (very big achievement for me ) and now I'm wondering about site security... without rambling about the entire thing, I want to be able to have my cake and eat it too... its probably not possible, or others would be doing the same... I would very much like to have an ability for users to contribute to the site anonymously/without registration details and keep spam to a minimum through keeping track of visitors and limiting each user's input...I thought about making some sort of encrypted key based on the IP address, and storing it in their session and cookie information, with a database of duplicate ID's; ie if a user comes back with a different IP in either session or cookie from what the encryption algorithm generates when they enter the site, a record is created to link the two id's (storing the id's and limiting contribution via id info is already implemented)Is this going to be enough to prevent serious spamming? I mean, is there any way to stop someone writing a script that generates a new IP every time it connects and dumps the session and cookie, filling my database with rubbish/spam?Undoubtedly there will be a certain amount with any open system even if it is actually from unique visitors, and I've already got SOME simple methods to counteract that, but I'm thinking more of the sort of spam that could crash a server....

[jlhaslip]

Using IP addresses as identifiers is "iffy" at best. AOL, for example, has been known to switch IP addresses regularly for users. And many dial-up systems rotate IP addresses.

[justsomeguy]

Keeping track of IPs isn't going to do anything to stop spam. You might want to use a captcha system or something like that instead, I guess it depends what you're trying to stop. If you're trying to stop bots, it will probably be enough to add some hidden inputs that a bot would fill out but a human wouldn't, and if those fields are filled out then you would reject the submission.

[dodgyrecordings]

I was planning on using a captcha system also, i know a guy who has an open submission form on his site who uses MathGuard and said it worked well for him, so this is what i was going to use, but I havent implemented it yet... The thing I'm most concerned about is bots/script exploits, but I'm also hoping to have some chance of limiting users to one response per topic, so to speak, hence the IP idea...I guess i'm wondering also how much it will prevent users logging on and spamming the topics the 'old fashioned way' as much as bots being able to exploit it...So, when you say AOL users will change IPs, is that at predefined intervals? or more like dialup, when they connect it assigns a new one? (I wouldnt have a clue, from australia and have only ever had a permanent connection with static ip)For practical intents and purposes the dialup IP style of changing addresses isnt going to be a huge problem; if people have to disconnect and reconnect to add another line I'm not too concerned.

[justsomeguy]

If you're allowing anonymous users, there's no reliable way to track them. Any method you use can be circumvented, if you need to track your users the only way is to force them to sign up and then keep track of what their account does.

[vytas]

The first thing in websecurity is too never trust any user input. The most common flaw i think is XSS which could be a real danger for your users and such. Im very glad with PHP's magic_quotes although it has some downsides the positive things are way greater than that. Besides there are loads of articles on how to protect you're website. And keep the webserver up to date (which isn't you're responsibility probably). Because loads of ScriptKids would just search for an exploit on a webserver and use other people's code.Edit: This is response to you're worry's on web-security, not the spamming

[justsomeguy]

Im very glad with PHP's magic_quotes although it has some downsides the positive things are way greater than that.

Don't rely on it too much, it's gone as of PHP6.