I have a registration page that sends a Welcome SMS for every registered user where the username is the user's mobile number.
In the welcome SMS there is an activation code to complete the registration process.
I also uses a Captcha control to prevent people from using bots.
The problem is, Some bad users are using the registration page to send SMS's to random mobile numbers which makes me loses the SMS credit.
Getting the MAC address of a website visitor is impossible, If it was possible, I will solve the problem by adding the anonymous bad visitors to a black list data table after say 3 different unverified mobile numbers.
My Question is: Is there any technique to identify a visitor in ASP.NET Or IIS.
Your question is answered in How can I Identify unique users on my website even IP is changed or browser data has been cleared? and How do I uniquely identify computers visiting my web site?. It can be done by combining the IP address and 'browser fingerprint'.
While this may be enough, I suspect that the malicious users will do anything possible to be not detected by these techniques. They can use a proxy server, a botnet, or other anonymizers like Tor to change IP address for every request, and they can craft their requests to fake random browsers.
To ultimately overcome this issue, you can for example make a Verified bit for each user, where you'll only send them an SMS after you have verified their account.
Related
I want people to be able to vote on my site, but I don't like sites that forces registration to do this. So my question is, is the any way to vote up/down, save the votes in a database, and make sure a person can only vote once? Without using cookies, I feel like its too easy to just clear cookies and vote again.
Email "captcha" is always nice - in order to vote, user has to provide email address, you send a link to that email and calculate the vote only if user clicked on that link. One unique email can have only one vote.
You could store their ip address in the database. But that would mean that people sharing one Internet connection would not be able to vote once one person has voted. Also people with dynamic IP address could vote multiple times.
So there is nothing that would work really well apart from making them register. But you could simplify the logging in process with e.g. Facbook SDK for JavaScript (https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.0). There are many others you can use in parallel (Facebook, Google, etc.). This way they would not have to manually register on your site. The down-side is that you require them to have a Facebook account. Some people also prefer not to tie their Facebook account to 3rd party sites (e.g. me).
You can collect details indirectly such as Operating System, IP address, Browser, Pligins which are installed, All Version Numbers in that session and produce a Hash.
By this, you can accompolish a reasonable vote ONCE on website without authentication.
Your options are as follows:
Read their IP address
Cookies
User Agent
However, the best bet is by far a login solution.
the only way without cookies is that you stores values in database by their IP adress for their identification.
but it will also not work perfectly, because
1)user can use proxy.
2)people who shared a same internet connection have the same ip adress.
Your options could be:
1- Save IP (note that IP is changed on DHCP, dialup connections and proxies)
2- OpenID as you see in stackoverflow.com (note that user can use multiple id on yahoo, facebook, ...)
3- send a link to email address (note that user may be use multiple email)
4- use cookies (note that user can delete cookies)
I have to implement advanced login mechanism in my ASP.NET MVC web site that is: users should be logged in with username and password only from one machine (the one that was used when the first time registered and logged in the application).
I was thinking about getting the client Hard Drive serial number ? Is this possible?
If not, can someone suggest me a solution to this problem.
Thanks in advance,
Igor
I don't think you can access unique PC identifiers, other than your browser. Check panopticlick browser uniqueness research.
Aside from that, I don't get the requirement to limit website access to the first used machine. It is not uncommon to used different devices these days (desktop, laptop, tablet, phone)
Even if it were possible, limiting your user to only using the machine they first logged in with would be a really bad design decision. What happens if their computer fails, and they need to get a new one, or replace some hardware? Remember when Microsoft Office used to make you re-activate every time you made a change to your computer's hardware? No one wants that. Aside from that, users use a wide variety of devices... a desktop at home, a laptop at a cafe, an iPhone on the road.
Using javascript, it is more or less possible to uniquely identify a browser, but that still would be subject to change, and the eventual locking out of legitimate users.
If you want to make sure a user is looged in on one device at a time that's a much more reasonable requirement. All you'd have to do in that case (I'm over simplifying a bit) is maintain a table of currently logged in users, and then reject subsequent login attempts for that user if they're already logged in.
I have webservice which uses ASMX webmethod etc (I know, outdated), it is used to supply mobile devices with data for their apps.
Right now, users can login on any device at any time, as many times as they want. To make this product compatible with a new licensing model, we want to restrict users in logging in to multiple devices.
A user should only be able to be logged in at one device at a time.
I thought of the following solution: save the mobile device identifier last used in a request, and the time of the request in the database. If a user tries to login (within ~10 minutes) from another mobile device identifier -> login fails.
My problem: in which method do I put this code. I want to prevent duplicate code as much as possible.
I have 4 .asmx files with API's, I could put the code in the constructors of all the classes, but I'd rather not. Is there not some "Request_Start" that already has access to GET/POST parameters?
Please refer to:
When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?
I understand you're asking about ASMX, but I believe this will be a good starting point for you.
I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.
Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.
I need to organise my companies websites so that depending on the location of a user they get redirected to a country specific version of the site e.g.
US Users get redirected to a US
specific page
UK users get redirected
to a UK specific page.
I've seen this done plenty of times but am not sure how its implemented. I'm thinking some sort of IP address lookup?
Basically I want to know how to achieve this and if there are any .NET/C#/JavaScript utilities that could assist.
Yes, this is normally done via IP lookups - this is called GeoIP, or Geo Locating.
Here is a related question - asking for good providers that are cost effective.
Check http://www.hostip.info/
The have an IP lookup service.
You could also use the accept-locale request header... but it can be misleading.
I'm trying to make a ASP.NET (C#) poll that will ask a user a Yes/No question and log that vote to the database. To prevent spam I would like to be able to make sure users can only vote once. I've thought about logging the users IP address. If this is the answer can someone give me a tutorial that shows how this can be accomplished. If this is not the answer then give me your suggestions.
Edit: I'm not asking users to register as this is not my website.
You can only garuantee that each user has one vote if you can authenticate the user. So you'll need an authentication mechanism, that will allow you to prevent the user from registering multiple accounts.
I can only see this work in an environment where the user has invested something into his account, like a subscriber for an online newspaper or a reputation system as on StackOverflow.
You can't limit a single vote to one IP address. An IP Address does not equal a single user. An IP address represents one or more users.
If you have a registered users list, send them an email containing a unique link which is generated containing a guid (for example), record the GUID in a database and match on voting.
If you are talking about generally publicly accessible and secure, then IP address on its own is not sufficient (google electronic electoral voting for the many issues involved with secure public voting).
Have you thought about using one of the free voting services?
Condorcet Internet Voting Service
IP addresses won't work for the millions of people who are working behind a proxy as well.
Cookies are a partial solution, but voting robots could just not send the cookie.
Logged in sessions are the only way to prevent double-voting fraud but since you explicitly ask for a way to log the IP address, you can get at that through:
HttpContext.Current.Request.UserHostAddress;
or
HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
Should be easy enough to save to DB and check if IP already exists on each poll.
Have a registration that requires email confirmation of registration and make sure the email address is a unique column in the DB among your users. Then tie the vote to the email address. It won't completely prevent a sock puppet who has multiple email addresses but it will at least make it not worth the effort for most.
A combination of IP and useragent can give you a reasonable solution.
I agree that one single IP address does not correspond to a single user but I think that is the safest way of maintaining one vote per person. I usually use cookies to keep track who has voted. Of course, this is a easy hack where you can just delete the cookies and then vote again. If the vote is just some random stuff then I don't really care. If the correct votes really matter for your application then use IP address.