OK, so I have a member's only area of my site and I was just curious as to how I would prevent one person from getting more than one account. I've considered verifying their IP address, but the problem is some people have dynamically changing IPs, so that wouldn't work (unless I don't understand how IP addresses work fully). I've also considered verifying user's information against the information currently in the database, but the problem with that is what to check. I have hundreds of thousands of registered members, and many of them have the same first name, or the same last name. I've even had a few people with the same first AND last name, but it's obvious they're different people because of the other account information.

I know this can be done, because facebook.com uses this technique; it's just a matter of figuring out what to validate...

Oh, just so you know, I do not mean making sure an automated program cannot register an account - I already use "captcha images" on my registration form.

Thanks for the help!

You could set a cookie everytime that they sign in & check for it when anyone sets up an account. Also, keep a log of the ip addresses that they've used. I don't think there is anything that you can do to prevent someone from ever creating multiple accounts, because anything you can put in place to trap them, they can get around at some level.

You can have multiple accounts on facebook. So that defeats your example. There's no way of preventing people from having multiple accounts. That's a fact of the internet that won't change anytime soon. What these systems do is register one nick to one e-mail, but you can easily get another e-mail account and create another account on your particular site. If it involves payment then credit cards would be an effective way of isolating uniqueness. However, multiple accounts could still be created utilizing temporary gift credit cards.

well i know there is a way around this technique, but just requiring a unique email address would help alot. i know some people have more than one email address and can go create another email address if needed though. its just a suggestion

Well, the reason I say facebook uses some technique like that is because I tried registering another account from my computer, using completely different account information (after clearing my cache, cookies, session variables, and changing my IP address), and it said I had already registered. Although, maybe within the 100 million plus members, there was another user somewhere in their database with that info...

Well, anyways the idea about verifying credit cards is great, but unfortunately (at the moment), I don't have a section to sell stuff. *plotting*

For scientific purposes, you should try to sign up for another account again.

Well this is where my intuitive ideas trump my actual knowledge, but isn't there a 'code' that a computer presents to a browser when it logs in that the browser can identify the computer (regardless of the ip address?) logging into the site?

As most people said, there are lots of ways, but there are lots of ways around it as well...I don't think it can be fool proof, and you can just put in layers and layers of verification.

I guess the more important question is how important is it to you to prevent multiple registrations, and why? What's the reason that you have to prevent them, and does it 'ruin' your site if people can register more than once?

I think you're thinking of the SessionID, which persists for only 20 minutes by default.

I agree with the others ... there is no unbreakable way to do it. However, you can surely make it difficult for them by using a combination of cookies and checking their entered information for duplicates.

I'd write a cookie with a unique id assigned to this browser machine. You associate that with the user in your database. Then if you ever get a different user with that same machine, you can compare their info for commonality and/or suspicious coincidences.

Sounds like a fun nut to crack either way.

No, I"m not, I don't know all the available info from someone who comes to your website, i know you can query their browser, but can you query anything else about their computer system, like the 'id number' (if it exists) of the computer itself, that way the masked IP or different email address doesn't matter?

@jemagee: Imagine the security implications if you were allowed access to a persons computer like that from a web application, so no that really isn't possible (or feasible) as most OS developers shut that down tight. Cookies wont work because all a person has to do is either delete them, or not allow them. Given that I cant really find a solution that would prevent a person from registering multiple times at a site, unless you request a DNA sample upon registration

You could have them put in their mobile number or something and have them type in a number that you text them - seen this done on paypal iirc

your not thinking of a MAC address are you? while i know this doesn't pertain to "a 'code' that a computer presents to a browser when it logs in that the browser can identify the computer "