Let's say, i have a website and it has one button: click me, and also a counter which counts how many times people clicked on the button.
The thing is, how to validate if the clicker is a real person, that he clicked only once e.t.c. ?
Ip's can be changed. Also, it's not a good choise to make a whole account system for a single button.
1.- You can save the count in the cache to make it accessible on the backend side.
2.- In the Frontend you cannot access to the IP, so you won't be able to check at that level.
3.- Maybe what you're looking for is a button with a Post in a login website, then everytime the button is clicked you can send the post with the user information and saved.
4.- To validate if'¡ it is a human you can use Google Captcha.
Hope this helps you!
You can use Google Invisible ReCAPTCHA. It's not 100% reliable when it comes to detect bots (it has been proven mutliple times by the past) but still very efficient.
However, to detect if a single person have clicked only once, there is no viable solution I think. You can maybe add a cookie and check if the cookie exists but it can be easily bypassed by simply deleting the said cookie.
To authenticate a unique device, you can store MAC, IP address, and User Agent. Of course, all those can both be spoofed to allow multiple clicks. That solution would also limit to one person per device, which may not be your intent. Storing User Agent with the MAC address is more difficult to get around than a cookie (that can be deleted).
You can eliminate the most common bots by their user agent, or you can use a CAPTCHA.
You authenticate persons by email account or OpenID, but I assume you want to make clicking the button as easy as possible.
Related
I am currently redesigning a website and looking for a solution on how to add a paid version of the site.
For example, say I have a <select> drop-down box with 20 elements inside. However, I want 15 of these 20 elements to be disabled unless the user has a paid account. At this time, that is the extent of what I need to differentiate between free/paid versions.
I'm planning on adding the ability to register an account and log in, as well as some type of payment processor (recommendations are appreciated for this! - currently looking at using Django/Python). I just don't know how to best go about managing two different levels of the website, and allowing those additional options to paid members.
I'm working with calculators that are pure Javascript. Using Bootstrap for the page design. As far as anything else goes, I'm open.
To do that, you'd have to add a field with a default value of NULL to your database, let's call it "subscription", into your users table. Then, everytime a user login to your website, fetch the subcription value and write it into a session variable. The last thing you have to do to ensure free members aren't allowed to perform any actions the subscribed members can is checking the content of the session variable while :
building your html, or you could check it on the client side with javascript right after the premium element has loaded (this is for user experience only since a client can remove any html attribute whnever they want)
and
while recieving the data of the premium element on the server side, accept it if the user is premium, reject it if they're free (again, just checking the session variable should do the job).
So as you can see, it's much more about preventing free users to gain access at the paid members options than allowing paid members to browse a completly new version of the website designed specifically for them.
I will try to give you a blunt idea maybe this might help you.
So lets say a user has paid for your service you can flag a token in yours app's backend if a particular user is paid or not. So whenever the user logs in your app next time you can get the status of the logged user.
Once you get the status of the logged user you can enable or disable ui elements.
I hope this made some sense.
Please be advised, this is not a code-problem question.
I have a resource in my app that is available only for authenticated users. In case a guest user tries to access the resource by clicking on it - registration modal shows up.
Now, I'm building logic using jQuery and PHP in order to store those clicks of guests. However, I also would like to implement something, that will let me retrieve rough information on unique users among the ones who clicked.
The idea I have is this:
When a specific page is loaded, set a JS cookie of "unique" value,
like this: [random string of fixed size][timestamp]. The cookie
would expire in a year from now. If the cookie already exists, don't
do anything.
When the guest clicks on the resource, make an Ajax
call to store the click AND the cookie value.
Later, to get "unique" clicks, make a SELECT that will GROUP BY
the cookie value.
Unless the cookies are cleared or the custom cookie expiration date is exceeded, this should give me a way to determine unique clicks (users) among guests.
I'm interested, if anyone can provide me with a better way to achieve what I need.
I wouldn't reinvent the wheel and use Google Analytics for this kind of task, since it's almost doing al the job and giving you nice graphics and statistics for free.
I would like to know more about the solutions to restrict registering for a website for humans only.
Captcha may seem a proper solution but as it turns out it's not as good as it sounds.
And it's not a problem if a solution is not an option for blind, deaf people etc..
My newest web app uses a process that makes this really easy for the user and secure for me.
User goes to login page, enters their email address and clicks an "I am signing up" checkbox.
The user clicks "register", their email address gets inserted to a temporary SQL table (called signups) and an email with a verification link is sent to the email address.
The user clicks the verification link which takes them to a "create password" page.
After the user creates his password, the email address and password are inserted into the users table–and the entry in the signups table is deleted.
This makes it easy and reliable.
The signups table also includes a random SHA1 hash (for the verification link), a timestamp set for 12 hours after the sign up, and IP Address.
All entries in the signups table that have an expired timestamp get removed at certain parts of the day.
Update
Since writing this answer, I have found that keeping a signup form secure from robots is a never-ending battle.
As time goes on, new technologies and methods are being developed to circumvent security measures. The best thing any dev team can do is periodically be checking the quality of signups, and thinking of ways to make their signup form both more secure and intuitive to use.
Yeah, it is a good bit of work and resources that go into it, but having confidence in your signup form and quality of signups is well worth the expense.
Depending on how targeted your site is, using a honeypot can be quite effective.
In short, you have a field on your form with a common name -- let's say email. Your actual email field has some other random name like larp.
Hide the email field using CSS, and include a text label instructing users to leave that field blank, should they happen to see it.
If any registrations come in with the email field filled in, send a success message back then drop it.
Verifying the e-mail address and allowing only users who have verified their e-mails is the easiest and quickest solution.
You could have users listen to an audio file, and enter the word into a text box. That's what I wanted to do for phpBB3, but alas, they do not allow HTML markup for their verification questions. Alternatively, you can do defense in depth, and have a CAPTCHA be only part of the process.
Instead of captcha (typing in words displayed in an image) I've seen websites that require you to answer a question, usually basic math. I haven't implemented these, but I've seen them several places so it must be something that's a plugin for various CMSes and soforth.
Bottom line is, any system will eventually be circumvented. You can minimize bot-registrations, but I can tell you from experience that there are people out there who will pay other humans (who can pass just about any test) money to sign up for web sites - the pay is generally really poor, but there are always people who will find that acceptable.
So along with whatever solution you use, you'll want to periodically re-evaluate that solution, AND you'll want to have a human being review new registrations (maybe once a day?) to weed out the few 'bots that do get through.
Let's say I have a page where a user has an option to like a dislike something. The like or dislike actions send a post message to a control which increments/decrements the number of likes on a object. However, the user is not logged in when they do this action.
How can I protect this page from javascript code that automatically clicks on like or dislike. Right now, after the user clicks one of them, that entire container becomes hidden, but couldnt someone use javascript (in the url/bookmarklet) to bring it back and then execute a click?
Security problems include CSRF, Clickjacking and the Coup d'état for this poorly planed feature is that ip addresses are basically free. So if anyone wants to upvote, they can and they can do so as much as they want. If you want to slow them down you need a captcha to protect it.
I want to create a popup which is easy, but here's thing, I want to hide it if you become a paid member, and I want it to appear again if you don't subscribe the next month, I am using the paypal button html code and not the ipn, the paypal button is in the account section of the site, well if you want I can put it in the pop-up and i can use the ipn if i have to, instead of the html code just want someone to guide me on how it's done
You're going to need some sort of user authentication to see if someone has purchased your product or not. This should be handled with a server-side language (PHP, Ruby, etc.) and you can change the layout of your page based on whether the user has authenticated or not.
If you don't have any server-side code, you could use cookies that are saved when you receive a successful callback from PayPal, but that isn't going to be very reliable because they won't be found if the user changes browsers or computers.
If you dont want to use a back-end then use cookies. If they have correct values stored in the cookie, use javascript to hide or change the elemts on the page