How to anonymously identify a user and store that information

Question

I need a simple user identification system for the purpose of allowing/prohibiting an action.

This is not a high-security requirement

Answer 1

MAC address would be awesome, but not possible over HTTP unfortunately (and a good thing for user privacy).

Cookie and IP address are your only options.

You can delete the cookie when you're done with it, only have it apply to the path that is relevant, or just have it expire in a few hours/days whatever is appropriate.

Answer 2

Store a small unique identifier on the client side as a cookie, then use that identifier to look up whatever related session data you need on your server's side.

Answer 3

Anonymous user identification can certainly be done (and is being done) with a fairly high degree of accuracy. Rather than reprint the methodology here's a bit of reading that will lay it all out.

First is an old bit by the EFF regarding the mathmatics of user privacy (specifically the entropy behind your data) on the internet. Certainly optional, but it expresses the model that we're looking at. You can skip this if the math behind identification doesn't interest you.

http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

Basically taken in a nutshell: using just the browser-agent, IP address and other data published in one of their examples (panopticlick) http://panopticlick.eff.org/ you have a very high likelihood of uniquely identifying a user (as long as it is the same machine) without the need for cookies. Additional information regarding their research into browser detection and uniqueness is available here:

http://panopticlick.eff.org/browser-uniqueness.pdf

Visit the panopticlick page and give it a test. It will show you what to look for (and give examples and source of how to go about it) while the .pdf will detail the uniqueness and specifics of the fingerprinting method.

My system configuration, for example, is unique among the 1,301,578 total tested with 20.38 bits of identifying information (reduction of entropy). Given their research, you will have an accuracy of 94.2% and 99.1% in identifying users between visits without the use of any client side tracking.