How to anonymously identify a user and store that information

Question

I need a simple user identification system for the purpose of allowing/prohibiting an action.

This is not a high-security requirement

Answer 1

Anonymous user identification can certainly be done (and is being done) with a fairly high degree of accuracy. Rather than reprint the methodology here's a bit of reading that will lay it all out.

First is an old bit by the EFF regarding the mathmatics of user privacy (specifically the entropy behind your data) on the internet. Certainly optional, but it expresses the model that we're looking at. You can skip this if the math behind identification doesn't interest you.

http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

Basically taken in a nutshell: using just the browser-agent, IP address and other data published in one of their examples (panopticlick) http://panopticlick.eff.org/ you have a very high likelihood of uniquely identifying a user (as long as it is the same machine) without the need for cookies. Additional information regarding their research into browser detection and uniqueness is available here:

http://panopticlick.eff.org/browser-uniqueness.pdf

Visit the panopticlick page and give it a test. It will show you what to look for (and give examples and source of how to go about it) while the .pdf will detail the uniqueness and specifics of the fingerprinting method.

My system configuration, for example, is unique among the 1,301,578 total tested with 20.38 bits of identifying information (reduction of entropy). Given their research, you will have an accuracy of 94.2% and 99.1% in identifying users between visits without the use of any client side tracking.