How to recognize returning visitors not using cookies?

My coder is working for me on a new game script (mainly coded in php/ajax and javascript).
This is the problem: i do not want people can cheat the game so i need to identify and recognize each single visitor in unique way. Normal cookies are not a solution since they can be easily deleted.

What could i to recognize an user in a stealth way so he cannot easily delete the cookies and play multiple times to my game?

I cannot register the ip in the database because many ISP in my country uses the same ip for multiple users so i would block many users if i ban an ip.

Is there a way to install a stealth cookie not easy to be deleted or something like that?

Maybe flash cookies or java cookies??

Any idea?

thanx

 

They will clear all their cookies instead of bothering to track down the one from your site. Can't you check if it's the same person based on their username?

 

That's what I was wondering, why can't they play twice? The problem with SMS is that it will be expensive for international people.

 

Maybe you should use sessions ? Or random generated sha strings on each user visit ?

 

I'm guessing he's in the PBBG market, in which case having multiple accounts gives a person unfair advantages (assuming it allows in-game trading of items, which most do).

Shared Objects are somewhat harder to clear than normal cookies, and if your site is desktop-based, they might be your best option. Here's an example AS3 script:

import flash.net.SharedObject;
import flash.net.URLRequest;
import flash.net.sendToURL;
 
var object:SharedObject = SharedObject.getLocal("GameName", null, false);
var flag:String = "";
if(object.data.flag!=null) {
    flag = String(object.data.flag);
} else {
    flag = Math.random().toString();
    flag += Math.random().toString();
    flag += Math.random().toString();
    object.data.flag = flag;
}
object.flush();
var request:URLRequest = new URLRequest("/b.php?r="+flag);
sendToURL(request);

Code (markup):

This code generates a random string for every user, stores it as a SharedObject, and then sends it to b.php. Here's the swf:

http://www.thomasmottl.com/assets/so.swf

If the string already exists in the database, it's a good bet that they already have an account. This method is not foolproof, but assuming that your site is desktop-based, it may be a decent choice.

This is just a proof-of-concept.

 

Or people like me who don't have no ***** SMS capable phone.

Really what you are asking to do is NOT something web technologies are designed to do... and nonsense like using SWF to do it is no different than using a cookie. The MOST I'd do is track users by IP address, and if you have multiples from the same address, flag it for MANUAL review of their activities (since it could be something like brother and sister). UN, e-mail address, that's about as far as you can reasonably go. Anything else is just going to get slapped aside like it wasn't even there.

Web security is like the door locks on a car -- they are there to keep the honest people out. Anyone determined to get in under another username on a free service is going to slap EVERYTHING listed so far in this thread aside like Magenta Thompson in a blaxploitation film.

 

Use zombie cookies. I would say it would work for the majority of people (if not all). A great implementation of zombie cookies would be evercookie by Samy:

http://samy.pl/evercookie/