Mobile app version of
Login or Join

: How to check if person doesn't have multiple account? I have two users in my website with the same IP. I asked them or him, idk, why does he have 2 accounts. He said that other account


Posted in: #Mysql #Php

I have two users in my website with the same IP. I asked them or him, idk, why does he have 2 accounts. He said that other account is owned by his roommate. His roommate uses other computer in my website.

So, my question. How can I detect whether he lies or tells truth? I can check if both browsers the same or not. What else?

Thank you.

10.1% popularity Vote Up Vote Down

Login to follow query

More posts by @Bryan171


Sorted by latest first Latest Oldest Best



The actual answer is no you can't!

Sure there many things to simulate it. But think of the user uses the other persons computer/account or even browser!

You can modify local IP addresses, cookies, http-headers, java-applets or all other clientside things.

Most sites who want this has limits of accounts per IP-address.

You also may try to filter the multi-accounts by checking for suspicious activities, but that may also not be of much help, since it would be hard to distinguish friends just working together.

All in all, this is a problem to which no effective solution exists.

10% popularity Vote Up Vote Down



It is almost impossible to make 100% sure 2 user are the same person, what I would recommend would be to negate the benefit of having 2 account.

Example : if your site give referral bonus (in the case of a gaming website) you could track IP, log on date, sign up date, hashed password, similarities in email, those factors usually allow to find multiple account users.

10% popularity Vote Up Vote Down



If there is personal information in a typical user's account, like a CC number of a personal detail that is not meant to reach someone else's eyes, then in the edit account page make that personal detail available. No two people will ever wish to share accounts if they knew the other could access their personal data.

I don't think you can use technology to resolve such issues, a hacker will always find a way to out-smart you. However, if you have a CC on file, add a link on your user's back end that allows them to purchase of flowers with a single click and mail it to anyone -- and watch how your double-accounts will disappear as no one will want one of their friends to order flowers with their CC.

Problem solved.

10% popularity Vote Up Vote Down



I am guessing that in your case having multiple account could be used to gain unfair benefit, otherwise it would be good that you clarify your situation.

The approach that you should take in that case is to detect suspicious pattern between the account rather than try to detect if it's the same personn. Depending on what your website is about, the pattern can change a lot. Stack Overflow does this to prevent gaming the system.

10% popularity Vote Up Vote Down



Or require all of your users to link their accounts to a Facebook account. Since Facebook's terms of service prohibit multiple accounts, you can then push enforcement of the policy off to Facebook, who probably have more resources than you do.

10% popularity Vote Up Vote Down



The network that the user is on might set the X-Forwarded-For http request header, which would allow you to log the private original IP address as well as the public IP address from which the request comes. You could then see if there are two different private IP addresses. But it won't work if they're just behind a NAT router, as that won't set X-Forwarded-For.

10% popularity Vote Up Vote Down



You just have to live with this. Design your site so it would no matter. In SO if someone uses more than one account it just divides the reputation betwen them, so no incentive to do so.

Design your interaction in a way that gives no incentive for multiple accounts.

10% popularity Vote Up Vote Down



You could use a Flashapp to take a picture of the user via webcam while login, and compare them... but the user would have to agree with this and can wear a mask or something. (I'm afraid what Face/Off-like-ideas @Quassnoi will get.)

10% popularity Vote Up Vote Down



Testing the User-Agent string will do you no good. Likewise client-side storage or cookie solutions are not an option if the same user utilizes different browsers. The only option to discern different clients in the local network would be a Java Applet which reads out the network-local address.
E.g. But that's quite an overkill solution, and can fail due to security restrictions, or if none of the two browsers (or users) has Java enabled.

10% popularity Vote Up Vote Down

Back to top | Use Dark Theme