Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello!
I started dealing with identifying the user's device. First I made some attempts with cookies but its too easy to avoid. Then I started googling and faced this service (fingerprint.com). Is this actually an effective way of identifying devices? According to my tests it is so easy to avoid. Changing the user agent from the developer console is literally changing the fingerprint ID... What should I actually analyze from user's browser in order to have at least 60% accuracy? What other ways exists of identifying user's browser? Is there a 100% accurate way for browser identification? What can you guys suggest me? The purpose is to detect if reviews are written with the same browser but different accounts (users).
@laralex Various browsers are putting barriers in place to prevent exactly this as it’s just used for shady marketing purposes, so you’re not going to be able to do it with any major accuracy, and that accurately is only going to decrease over time.
If you need to identify reviews from users, then only allow registered users to leave reviews.
@martinbean Only registered users are able to leave reviews. But they can create as many accounts as they want. We need to somehow identify user's device and give it a unique ID. Googling doesn't help me at all. People also don't know how to do this 100%, but they have ideas. And I don't.
@Laralex You can’t. Like I say, browsers are actively making this impossible to stop fingerprinting being used for nefarious reasons.
The best you can do is to instead put deterrents in place like rate limiting and CAPTCHAs, or raise an alert if say, a number of accounts is registered from the same IP address within a short space of time.
Again, you can’t accurately identify an individual device; and any techniques you use today to do so will get less and less effective over time as browser cut it off.
Account verification. Like telephone number or something.
@andyandy That's not a solution for me.
@Laralex Why? @martinbean have already explained that this isnt really possible, as browsers protect users.. Have the user verify the review using a code send to a mobile phone? Same mobile used for alot of reviews = fake reviews
@andyandy Can get a number for like £1 or cheaper depending on the country. Wouldn't be a barrier if they make money off it.
@Sinnbeck @aurelianspodarec just answered you...
@Laralex Ok. Then it sounds like you are out of luck :) Make it an app and only allow reviews through there? :p
@Sinnbeck Brilliant idea!
I think I understand what you mean, I implemented exactly the same service and did it with the userAgent and ip address of the user, it works acceptably well,if you want to see i can show my project with anydesc
@johnDoe220 Can you explain what you've done in detail?
@Laralex you have anyDesk ?
@johnDoe220 Not able to do that on my office computer.
@Laralex This system is very extensive and a little difficult to explain, whenever you want to let me know, but the whole process is like this. I implemented the login system based on the IP and model of the user's device, and the user has the ability to cancel their sessions on other devices, and that device will be removed from the account as soon as the first request (page refresh)
@johnDoe220 Thanks for sharing this. I'll think about it if I don't find any other solution.
@johnDoe220 That doesn’t sound great. What about offices that contain many of the same device, and will also have the same IP address? You could have 100 people in an office all working on the same model iMac. What you’ve described it going to treat each of them as the same “user”.
@laralex Using the ip address is not a good solution since it's very easy to change it and most ISP use dynamic ip addresses.
I don't think you will have a huge problem with sticking to the email address, some might create multiple accounts for spamming, but you can use a honeypot on the review form, together with a captcha and you should be good enough.
@Tray2 Honeypot is preventing bot spam. THAT'S NOT THE PURPOSE OF THIS THREAD... We assume only real users will use the website.
@Laralex Congratulations you are on my shitlist.
Real and registered users are writing multiple review (aka spamming). So yes, it is an spam issue. Assume everyone is spammer. And, try to protect with rate-limiting, captcha, honeypot etc.
Even hardware MAC address can be spoofed (faked) by your users. Or, users can add simple browser extensions to automatically shuffle and spoof Browser Agent, time-zone, device hardware information etc., which are generally the ways to fingerprint a device. You cannot accurately identify any users.
Spammers will always find a way. So, setting up spam protection is exactly what you need.
@martinbean I think in the beginning it is really important to know who we will provide services to. The thing to consider is that before logging in I checked that if this IP was already registered I would only update the last login, so in fact there will never be a duplicate record and there is only one IP once. The next issue is that I checked the device model with the exact IP as well as the exact location, and it is very unlikely that all user agents are exactly the same. Right now I think this is the most accurate thing we can do, I'm completely satisfied and it works great In my opinion, before asking this question by our good friend, they should ask what this website will be like in order to provide more constructive tips.However, all this is just to help and the final decision will be made at their own discretion. For example, if this feature is in a banking or financial system, a person will never enter from an office with a shared device, right?
@johnDoe220 I think you misunderstood what I was driving at.
a person will never enter from an office with a shared device, right?
A bank is a perfect example. If you think of a bank’s headquarters, there’s going to be probably thousands of machines. And the procuring department will probably buy them and refresh them in bulk periodically. So when an order comes in, there’s going to be many units of the same model computer. And corporations that size usually have mandates on what software (including web browsers) should be used. So you’re going to have a large number of people, using the same model of computer, and same browsers with the same user agent strings, from the same IP address.
No need to fingerprint just for that. There are two basic ways, that should be enough:
I) Rate Limiting based on IP address and product:
RateLimiter::for('review', function (Request $request) {
return Limit::perHour(1)->by($request->ip() . '-' . $request->route('product'));
});
// ->middleware('throttle:review');
https://laravel.com/docs/9.x/rate-limiting#main-content
II) Captcha: You can add, Captcha (or reCaptcha) when registering a new user, or leaving a review to protect against spam.
Additionally, if it is an e-commerce, you can add policy so that only users that have purchased an item can write a review.
@Niush I'm not doing that to protect against spam. What reCaptcha has to do with user's device? Users are real persons and not bots. I just want to prevent publishing reviews from different accounts on the same device. The rate limiter idea is also not good enough because users can change their IP address and post again.
@Laralex "The rate limiter idea is also not good enough because users can change their IP address and post again." - yes, but some might not be as sophisticated, maybe that'll save 10% spam but that's still something.
I think what we need to realise, that unless you ID each user with the gov ID, you won't be able to stop it, I don't think there's an inpenetrabel system like he wishes there was, there will be fake reviews just deal with it, meanwhile he should focus on all of the advice given here.
Again, unless there's one global system where you need ID for everything, then there will be scam. What would stop the person from buying the products and living the reviews, its not like he will ship the product to himself, and he might get all of the money back anyway, unless that person doesn't manage to deduct it from tax or find a loophole or legal reason that it was himself that bough it from himself lol which would be also a good idea to make sure to have this in the website legal policy that prohibits this just to be covered in case that does happen. And I hope we don't end up where we need gov ID to log into interenat and use ID instead of email address... because the data will be abused by the gov since they have the interest of big companies and not the people and then welcome to dystopia and dictatorship, where if you don't smile and obey you end up life for prison or... But that's off-topic xd
Edit: Even recaptch and all that stuff, there are people in 3rd world countries that do this when they act like a robot. So again, unless you GOV ID people on websites, you won't be able to do this.
Just not possible. YT, LinkedIn etc... can't stop fake comments let alone him. And they are getting sophisticated recently. If you noticed the bots are having a discussion, literally have like 20 users(bots) write with each other with the crypto scam and all that not sure you've noticed, worse than wat it was a year ago.
@Laralex nothing is 100% but have a look at: https://www.digitalocean.com/community/questions/how-do-i-stop-spam-attack-on-my-website
Changing IP is actually quite hard because it is usually provided by your service provider (remember, its not their personal machine's IP, rather the IP of their connection to the internet provided by their ISP)
But also remember that IP addresses can easily change. On mobiles, switching into airplane mode for a bit will cause the mobile context to be lost, and then you can get a new IP. In some cases, the IP will be the gateway of the mobile phone provider since they will use IPV6 within their network, going down to IPV4 at the edge. Consider lots of users in one locality, you risk blocking genuine users because they happen to share the same mobile network.
So, overall, IP addresses are quite an unsatisfactory means of identification.
@Snapey I remember one guy that does Python showed me how to do it, I know nothing about it, he made it seem easy :D Why we did it, well... to avoid something, genuine guys :D That was back in 2017 though. He changed some IP stuff via the command line, and he could also kinda interfere with other people or almost like steal identity of an IP, but I can't remember if there was a token for that or not, but he made it work somehow. But yeah, it was so I can use the internet for free at the dorms cost basically, which is also free xd I was paying them anyway, just didn't had it as I paid late that month.
@aurelianspodarec on a local area network?
I think so. It was the dorm network. So unless you were part of the system, you wouldn't have access to it. So I think he made it so my computer had someone else IP or something - but not 100% what he did. Then he had to change it back though.
@aurelianspodarec He most likely just changed his MAC address on his netcard. Same can be done on a router. IP is bound to a mac, so if it changes, you get a new IP
I think its fair to say that its relatively easy to fingerprint a user that does not know or care it is happening.
But its almost impossible to fingerprint someone that wants to bypass it.
Depending on your application, you might be able to rate limit reviews, and couple with captcha backed email confirmations just to make it time consuming and a hassle for the spammer. Unfortunately if someone is paying for fake reviews there is not a lot you can do. Amazon fails to block fake reviews and look at the resources they have available.
There are websites using patented zombie cookie trackers, if the user does not accept them, entry is prohibited, spam drops from 10 to 0.2%, they pay for computer engineering to renew them, they remain uncodable and the system is 100% impenetrable.
Please or to participate in this conversation.