What is an effective method for banning users from my site?

I know a lot of scripts handle IP ban, IP range ban etc. I was trying to make a method that would block a user as best as I can. I came up with:

• IP block
• Setting a cookie
• But if a user has a dynamic and doesn't enable cookies this wont do much to him. I don't want to block an IP range because most of my visitors come from the same town and I don't want to block innocent people.
• Creating a hash value for multiple variables coming from the user, (like browser and version and something else) and adding them to a table which stores a list of banned users or such v开发者_开发问答alues.

Thanks for ideas.

In plain: you can't.

Some user can block to receive cookies, or even to use a proxy to fake it's IP address, you you just can't make sure some user cant access your application.

An (extreme) option is to force all your legitimate users to install a client certificate and to check it at server-side but, as I said, it's a extreme solution. I don't like to install certificates just to access some site.

I suggest you just let it go; sometime in future your troll will get bored and will look for something more useful to do with his/her time.

Both banning by IP and cookie are, as you say ineffective.

If you need to block specific users then you're only recourse is to require all users to authenticate using an email address - they don't need to supply a password - just generate a random hash and store it against the email address in a database table, then send out a clickable URL with the hash in the query. Then, when the URL is accessed, drop a cookie with the hash in it (and an expiry date long in the future).

Then whenever a user access the site, check the cookie against the database to see if it belongs to a banned email address.

The downside to this is that it shifts the burden to the legitimate user. E.g. if they registered from a domestic ISP account using the ISPs email service, then they won't easily be able to access the site from an internet cafe.

And of course, its relatively easy to get a free email address.

C.

Generally, trying to ban behavior is better than trying to ban users.

First, for technical reasons: behavior patterns can often be detected (e.g. you can ban words).

Second, for psychological reasons: people who annoy others often do so because they tend to take things too personally. Banning them reinforces that. Retaliation and escalation may result.

What you already got there is probably the best method, IP ban + blocker cookie. There isn't really much more you can do except for these two. ( I know, it sucks ).

As the others pointed out: basically there's not much more you can do. The basic problem is that those techniques ban a machine, not a user, and can easily be circumvented (clearing cookies, changing IPs, or using a different computer).

What you could try to do is to automatically detect the user, through some behavior they're exhibiting, and then quickly block their current machine. Bad behavior that's automatically checkable could be posting too many comments, or Spam comments (you can check for those automatically using f.i. Mollom), typing in lots of wrong passwords, etc.

Another idea (but that's even more intrusive) is to block their user account, and limit the creation of new accounts (have them be confirmed by admins first).

Well, you can block the usage of VPN on your website (I think it's a forum, if users can post threads), for this purpose, vpnblocker.net is very cheap and effective... with VPN Blocking, IP bans and Cookie blocking you can stop non-persistent spammers. If they've a static IP-Address, they won't return.

If it's for a forum or something similar the only real way of stopping spam/abuse is with a combination of image verification and admin activated account creation. Both have nasty side effects and impacts on the usability of your website.

IP Banning

Personally IP banning should be avoided unless they're known spam servers. Banning IP addresses of normal users is non-sensical as most Broadband IP Addresses aren't fixed so you could end up banning someone else who picks up that IP address potentially.

Cookies

Using Cookies can be a useful way of banning normal 'non-IT' users who are not aware of clearing their browser cache/cookies, etc. I'd be surprised if more than 10% of web users knew how to do this...