Hi filks. Been thinking about this for a while now and still haven't come up with any decent ideas yet. I'm trying to think of some reliable methods of banning people from sites and forums. Banning by IP would be useless because it'd only work on those with static IP's and even they could just use a proxy. :/
Thought about cookies, but that's just a simple case of clearing the cookies. I thought about using a reverse hostname lookup because I figured that's be the closest thing to being able to uniquely identify a user. But there's two problems I can see with that method. Firstly it puts a lot of extra strain on Apache (2) from what I've read and it doesn't always work. Secondly most users won't have even set a hostname when they set up their PC. I should imagine a great deal of them with be called "MICROSOFT PC" or whatever the default is already placed in the text box at setup.
I only have apache 2 php 5 and mysql 4.1.7 and with these tools I can't think of a reliable method. I get the feeling it isn't possible, but I figured I'd ask anyway. So.... any ideas folks?
Cookies will probably be your best bet. IP and hostnames will be useless as they will change and will resolve to the gateway router except for fools you can lock out with cookies anyway. Anything you do will only be effective for inexperienced users.
The most effective approach is to force them to authenticate and ban them there.
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." Brian W. Kernighan
Cookies are particualy effective for people that sign up just to swear on your forums or such like, especialy as they tend to be non-tech-savy folks.
If you want to be really mean you could redirect then to a page saying: "MWA HA HA I've just hacked your computer" with lots of red and blinking text, now that'll keep 'em from trolling.
Forcing people to authenticiate is kind of putting a barrier between you and legitimate users.
If you have a lot of time on your hands then you could make them think that they're not banned, but only let them see thier own posts.
Disclaimer. (1) Whilst I will help you sometimes, if I feel like it, and my advice in relation to your actual question will be of good quality: my posts are to be taken with a pinch of salt. I will be sarcastic, deploy irony and include obscure cultural references for my own amusement without warning.
(2) You will gain nothing from complaining, and if you try to argue with me then you will not win. No matter how noble your battle seems, I am still better than you, don't be an hero.
Aye. I thought about banning by email address too but figured hotmail would kill that right away. I suppose I might as well do it. Slap a cookie on 'em that says they've been banned and block signups from the previously given email address. I suppose making it look like the server screwed up when they try to sign up again, rather than telling them I know it's them from their email address would at least be something.
That was onother one I thought about too. Not actually banning them at all. Just letting them log in and have everything appear as normal to them, but to everytone else the bad user no longer exists. Is never logged in and posts never retrieved etc. I think I'll build both (or more) methods in and then just make an extra section on the admin control panel to select which methods to use and how to do it.
As you know, you can't prevent users from logging in via different IPs and Email addresses, but what I'd suggest is to use a combination of cookies and banning by email address. Also, I wouldn't reccomend letting 'em think they logged in but it just doesn't really work. That makes your site look broken when they figure out that their posts aren't going up, and may even invite more trouble.
Truly, I wouldn't be overly concerned about banned users switching to a new email address and creating a new account. You should log the IP of banned users and document the posts that break the usage agreement. Maybe a user gets banned, gets a new email address, clears their cookies and logs on and behaves responsibly from there on out. Fine. If they are constantly disruptive (especially if they are vulgar or threatening), an email or a phone call to their ISP may put a stop to it. You can't identify users by unique IP because they may be constantly changing, but the major ISPs know who had which IP address at what time. Yahoo is pretty good about canceling free accounts of users who abuse their service too.
There is not relibale way you ban a specific user from a website. One thing you can do is when a new account is made it has to get your approval before it can become active. This can be annoying and even impossible on a large site, but you can look at each user's information and everything before they are a member.
The problem with any ip ban is the fact that if you were to do it to anyone who knows how to use a proxy they could just mask their ip with that. Proxies are easy to come by on this vast internet, I can google and get a new proxy ip to drop into my browser.
The most reliable method would be to require that your memebers submit to retina scans and provide DNA samples, else they can't be a member.
Great idea. I also suggest having users submit notarized documentation that the caps lock and shift keys have been physically removed from their keyboards as well as disabled at the CMOS level. Members must swear on penalty of death to never begin a post with "I'm using Windows 95..."