On Wed, 5 Jun 2002, Nick Wilson wrote: > The only small problem I see is if a user logs out and then registers as > another user and votes again. I will be verifying emails of memebers so > I think this an unlikely scenario but it still bugs me a little.
Any web-based unique-user-identification process that does not involve a human can be fooled. The only exceptions would be if you had access to government-issued unique ID databases, such as passport or tax ID numbers. Nobody else takes the time to uniquely enumerate the population. Therefore the only way you can do it reliably is by looking the person in the eye, listening to their voice, or applying human judgment to the combination of evidence they have transmitted to you electronically. Anything that relies on email, name, credit card number, etc., for ID is doomed to failure in this regard because it's too easy to manufacture or appropriate new identities. Additionally, some of the methods (credit card) are, in addition to being susceptible to spoofing, sufficiently intrusive as to deter participation by legitimate users. So decide how much hassle it's worth making it (both for yourself and for your users) and run with it. My feeling would be that a cookie + email token is enough for anything but high-security or money-based operations; after those measures the amount of hassle rises steeply. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
