Other PHP tricks to identify user

I know you can get the users IP address with PHP but are there a开发者_如何学JAVAny other tips/tricks/scripts that can be used to identify the user in other ways?

There are polls and contests on the website my company is building, and anonymous users are allowed to vote once per day. The suggestions as how to resolve this were:

1. authentication via e-mail confirmation (send an email with a unique link to click)
2. IP address
3. cookies

The e-mail can't fail, but a user can have many email addresses, plus, it's troublesome (fill in a form, open email, click a link - many people are deterred this way).

The IP is not reliable because ADSL users often have a different IP each time they connect to the internet (at least with my country's biggest ADSL provider). Plus, proxies are a problem.

Cookies can be easily cleared/disabled, plus, a user would be allowed to vote many times if s/he had more than one browser installed. If cookies are set via JS, JS-disabled browsers are also immune to this.

We decided that the mix of #2 and #3 was the best tradeoff, but there's no perfect way.

It is unclear whether you are or not running SBS and Active Directory/LDAP system but that would give you a way to pull out more information about a user based on their Windows login. There is a lot out there on the web on this topic:

• http://www.google.com/search?q=php+active+directory
• Authenticating in PHP using LDAP through Active Directory

$_SERVER contains information on the browser the user is accessing the site with: http://php.net/manual/en/reserved.variables.server.php

You can also use getbrowser() to parse that information into human readable form: http://php.net/manual/en/function.get-browser.php

Well, ultimately, the best way to identify them would be to set-up an authentication system and have them login.

Alternatively, you could attempt to identify users based on a bunch of different pieces of data, for instance their IP and browser they're using (ie. if userip = ip && userbrowser == browser ... ) - this is all too easy to circumvent, though.

Check the $_SERVER global for any other data that you could compare against.

I would highly recommend implementing an authentication system though - this is the best way to identify users.

If it's for an internal only website then you could use ident - see also RFC1413. There are PHP based implementations out there (try google). Note that this requires that the client is running an ident server which is accessible from the webserver where your code is running. You don't say what OS the clients are - there are ident servers available for Linux, Unix, Apple Mac and MSWindows. Note that ident responses are not authenticated and can (relatively) easily be faked.

Microsoft's solution to the problem is NTLM - but that's a PITA to manage properly.