Cheater detection :: Zikula Community :: Support at your fingertips

Get Zikula 1.3.3!New core, modules & more

Quick Links

Donate Today!Support your Software

Documentationlearn, share & develop

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!

GitHub Modules

Forum Activity

mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
internetking created topic »password problem« 25. May
mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
mdee created topic »How to implement returnpage ?« 25. May

» Visit forum | » View latest posts

Zikula Blog

Anatomy of Open Source Projects on Mar 07
Continuous Review on Mar 01
Not Invented Here on Feb 24
How to Contribute Your Code at Github on Jan 13
10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
Submitting Bug Report Tickets That Get Results on Aug 17
Cozi Tricks #1: Syntax Highlighting on Aug 07

Cheater detection

Print topic

manarak

Rank: Helper

Registered: Dec 31, 1969

Last visit: May 20, 2010

Posts: 524
Posted: Jun 25, 2008 - 06:46 PM

Hi, I run a website where some users register as providers, and other users evaluate them.
I have been confronted with cheating from both groups:
- providers evaluating themselves with best marks using other usernames
- providers evaluating competing providers giving bad marks using other usernames
- users overrating providers using several usernames
- users taking vengeance from providers by using several usernames

To be able to track the different usernames, I came up with a small hack:

Quote

if (pnUserLoggedIn())
{
// get the users stored in the cookie
$cook = $_COOKIE['session_mgr'];
// transform back into an array
$cookusers = unserialize($cook);
// get username
$cuser = pnUserGetVar('uname');
// check if user is found in cookie
if(in_array($cuser,$cookusers))
{
// do nothing
}
else
{
// add new user to the array
$cookusers[] = $cuser;
// store in cookie
$serial_cook = serialize($cookusers);
setcookie('session_mgr',$serial_cook,time()+(60*60*24*365));
// store in DB if there is more than one username
if($cookusers[1] != Null)
{
$SQL = "INSERT INTO usercookies (cooknames) VALUES ('$serial_cook')";
list($dbconn) = pnDBGetConn();
$result = $dbconn->Execute($SQL);
$result->Close();
}
}
}

do you think it will work like that?

edited by: manarak, Jun 25, 2008 - 06:46 PM
AmmoDump

Rank: Team Member

Registered: Dec 07, 2003

Last visit: May 09, 2010

Posts: 2703
Posted: Jun 25, 2008 - 07:43 PM

I wouldn't bother to attempt to track via cookies, but rather IPs. It is fairly easy to manage cookies on the user end. But IPs take an extra bit of work manage (still rather easy).

Anyway, my point is:

Cookies (tend to)change more often than IPs.
Changing browsers is an easy way to change cookies (this is something I do to have multiple accounts open for the same site).
It is fairly easy to manage cookies on the user end.
Grouping common users and IPs should be able to help find fraud.

The best solution may be to have users meet a minimum criteria to use the feature you are trying to prevent fraud with. For example a user must be registered for X days or made X posts or whatever.

--
David Pahl
Zikula Support Team
manarak

Rank: Helper

Registered: Dec 31, 1969

Last visit: May 20, 2010

Posts: 524
Posted: Jun 25, 2008 - 08:17 PM

in fact, I noticed that IP tracking is not so effective.

A lot of my site's users are not very tech-savvy and they use big internet access providers which renew the IPs at every session.
So I found that detecting cookies works rather well.

Of course, I already have IP tracking. My goal is to combine both.
**unknown user**

Rank: Helper

Registered: Mar 16, 2002

Last visit: May 09, 2010

Posts: 872
Posted: Jun 25, 2008 - 08:21 PM

If transactions are involved, I'm sure using the transaction ID to track both sides would be a more viable way
AmmoDump

Rank: Team Member

Registered: Dec 07, 2003

Last visit: May 09, 2010

Posts: 2703
Posted: Jun 25, 2008 - 08:52 PM

Hehe...

Checking yours, Kenshino's, and my IPs here:

(your first post)
you (9 Posts)
* 2nd User (1 Posts)
* 3rd User (10 Posts)
(your second post)
1 post

(me)
122 posts

Kenshino
22 posts

So what have we learned? I use this IP fairly often, as well as it seems Kenshino does. You seem to use multiple IPs and there are two other accounts that use the same IP as you. I know if I look at my IP usage through out my time here.. I will have used dozens or more of IPs. The problem is that I have literally used thousands of sessions, across dozens of browsers and multiple platforms. The fact is my cookies change more often than my IP. The question is, do you really want to store session tables indefinitely. I can see this as becoming a lot of overhead.

Also, how are you going to handle cookie sessions on the server end... let sessions stay open indefinitely?

Combining the results seems a good idea... but there is a lot of information. I would seem challenging to sort through it. Also these measures are easy to circumvent, for some people. I can easily spoof my browser and proxy my IP. If I were to trying to cheat a system, I would automate this. Obviously, most people are not this technical, but..

But I am curious to see how it goes... let us know how effective it is. I am sure there is probably a really nice way to present the data to flag misuse. I am definitely curious, and skeptical of getting good/easily usable results.

--
David Pahl
Zikula Support Team
manarak

Rank: Helper

Registered: Dec 31, 1969

Last visit: May 20, 2010

Posts: 524
Posted: Jun 25, 2008 - 09:44 PM

I don't want to store session tables indefinitely.
What makes you think so?
EDIT: maybe the name of the cookie is the cause. I chose "session_mgr" just for discretion. "User_tracking" would be a little obvious.

The above snippet just writes a cookie with the user name in it.
If the same computer/browser logs in with the same cookie but a different user, the new user is added to the cookie, and the list of users is stored in the DB.

Users that are not detected using 2 accounts will never be written into the DB.

The result is a DB table - each row contains multiple usernames of the same user. Users using only one Username are not logged into the DB.

I already successfully used a combination of cookie + IP + client hostname to get rid of some banned users which kept coming back using different usernames.

I am also working on modifying the code of my forum to create a sandbox mode. Users I decide to put in the sandbox could use the forum normally, but their posts would be visible only to themselves...

edited by: manarak, Jun 25, 2008 - 09:50 PM