如何避免用户删除其会话 [英] How to avoid that a user removes his session
问题描述
当前,我正在尝试构建一个页面,用户可以在该页面上对内容进行投票(上/下投票,类似于StackExchange网络上的功能).但是用户不需要注册自己即可对内容进行投票.因此,这将是一种匿名"投票页面.它使用Laravel5构建,并使用MySQL数据库存储投票.用户会话存储在平面文件中,但也可以存储在数据库表中(此处L5非常灵活).
Currently, I am trying to build a page where users can vote on content (up/downvote, similar to the function on the StackExchange network). But the users shouldn't need to register themselves to vote on content. So it would be a kind of "anonymous" voting page. It is built with Laravel5 and uses a MySQL database to store the votes. The user sessions are stored in flat-files, but can be also stored in a database table (L5 is quite flexible here).
如何使其安全?.
我正在用户会话中存储限制和已经投票的内容,例如当用户对内容XYZ进行投票时(因此用户暂时无法再次对特定内容进行投票).这些限制是基于时间的,主要是24到48小时. 只要用户不扔掉/删除其Cookie,此方法就很好,这将导致创建新会话并取消时间限制,从而可能导致容易的投票欺诈.
I am storing restrictions and already voted contents in the user sessions, e.g. when the user has voted on content XYZ (so the user cannot vote again on the specific content for now). Those restrictions are time-based, mostly 24 to 48h. This works well, as long as the user does not throw away/delete his cookies, which would cause to create a new session and remove the time restrictions, which could lead to easy vote fraud.
因此,如何避免用户丢失"他的会话?重点在于如何让每个匿名"用户的限制和限制继续存在!当匿名投票时,无法避免共享PC或在不同位置进行投票,但是在给定的解决方案中,必须避免"botting"或大量投票欺诈.
So, how to avoid that the user "loses" his session? The focus is on how to let the restrictions and limitations of each "anonymous" user persist! Shared PCs or voting on different locations cannot be avoided when voting anonymous, but "botting" or a vote fraud in large numbers needs to be avoided with a given solution.
将每个用户会话的sessionId设置为IP和IP的组合 用户代理
Setting the sessionId of each users session to a combination of IP and User-Agent
我已经问过有关此尝试的问题(在下面链接),但是它会解决更多的问题(例如,简单的会话欺骗).另外,我无法使用Laravel5手动设置sessionID.
I've asked a question about this attempt (linked below), but it'd open up more problems then it'd solve (e.g. easy session spoofing). Also, I couldn't achieve to set the sessionID manually by using Laravel5.
- 让每个用户自己注册(在我的用例中,这对每个用户来说都是太多的努力)
- How to remember an anonymous vote
- Retrieve or reassign user session from ip and user-agent
推荐答案
我的解决方案是实施 evercookie 的组合a>为每个用户分配一个身份Cookie",
My solution was combination of implementing evercookie to assign a "Identification Cookie" per user, detecting privacy browsing and restrict access when having Incognito mode or private browsing enabled, and finally restrict several actions (voting in my case) when not having the evercookie.
这篇关于如何避免用户删除其会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
