Session tracking

[eluser]Iverson[/eluser]
I'm building a site that will have different categories. A visitor will to be able to comment on each category without any user authentication. Right now, for each comment I'm saving the ip, session id, timestamp, and user agent in the database. I've set CI's session expiration to 86400 (1 day). I then check a new comment to see if there is a comment less than a day old that has the same session id, ip, and user agent. If there is, you can't add a comment. This works but I'm need more brains to help me figure out if that's pretty much all I can do to ensure a visitor only comments on a category once a day. User authentication is out of the question. Thanks guys! (and girls)

[eluser]TheFuzzy0ne[/eluser]
I think that is indeed about the best you can do. A user can delete cookies (and get a new session ID), switch browsers (thus changing their User Agent), and in some cases (like mine), re-initialise their Internet connection which gives them a totally new IP address.

[eluser]Iverson[/eluser]
[quote author="TheFuzzy0ne" date="1237840420"]I think that is indeed about the best you can do. A user can delete cookies (and get a new session ID), switch browsers (thus changing their User Agent), and in some cases (like mine), re-initialise their Internet connection which gives them a totally new IP address.[/quote]

Exactly. Plus it's not like the site will be that big of a deal to where people will go through all of that trouble. And if they do then they must really have something to say. Question, does the session destroy when the browser closes?

[eluser]i_like_ponies[/eluser]
Tough issue. But you might be causing issues for people like AOL users that generally all have nearly identical user agents and come from the same proxy IPs. Other systems like mobile devices can have similar issues.

But if you can successfully cookie them (real cookie, not session based cookie which expires when browser is closed) then in theory the cookie id should be good enough. Course if people want to be malicious and/or clean their privacy data every time they close their browser, then you're kind of up a creek anyways.

[eluser]Iverson[/eluser]
[quote author="i_like_ponies" date="1237851550"]But if you can successfully cookie them (real cookie, not session based cookie which expires when browser is closed) then in theory the cookie id should be good enough.[/quote]

That's what I though, but actually, closing my browser after I start a session on the site keeps the session when I reopen it. Even keeping the browser open and opening a totally browser (not a tab) keeps the session.

[quote author="i_like_ponies" date="1237851550"]Course if people want to be malicious and/or clean their privacy data every time they close their browser, then you're kind of up a creek anyways.[/quote]

Yep. Oh well. The first thing you learn in security is that you can never have a 100% secure site. The only thing you can do is make it as hard as possible to be hacked hut: