How To Manage User Identity Via Javascript?

Question

I run a SaaS that allows free trials. Basically if you register you get a few dollars worth of free services immediately. I have been determining new users based on IP address alone and it has worked well for the first few months. Now people are finally catching on that it is trivially easy to change their IP address and scam me out of free trial bonuses.

What I want to do is basically create a hash of all possible javascript browser variables and store it in a MySQL database.

If I notice that the same browser hash has signed up for a free trial 10 out of the previous 100 registrations... I will not enable a free trial bonus to that account.

Where do I even start? (Where can I find a list of all javascript browser variable settings like window size, operating system, browser and version number, country, language etc...? Or does jquery offer something like this already?)

I have thought about implementing phone verification via twilio... but that would cost me money, cost my users money, and ultimately lead to fewer free trials.

EDIT: THE GOAL HERE IS TO LIMIT FRAUDULENT ACTIVITY AS MUCH AS POSSIBLE, AND NOT HINDER REAL ACTIVITY IN THE SLIGHTEST!

Sure this solution is not perfect, but added with the others I already have it will help. I am willing to accept some loss, but would like to limit it as much as possible.

Answer 1

Have you considered implementing captcha ? It would not be a deterrent against users willing to create multiple accounts manually but would definitely defeat the bots creating hundred of accounts in minutes. I like recaptcha : http://www.google.com/recaptcha, it's free, it has solutions for people that are visually impaired and it help digitising books.

Answer 2

What you might want to do is take a look at browser finger printing http://panopticlick.eff.org/

Although this is not fool proof by any means if you mix it with cookies and the users IP address you should get something that works for most users.

Updated
If the idea is to limit fraudulent activity I would implement a SMS based code, similar to how Gmail works. You have to enter your mobile number to get the free trail, If you buy SMS's in bulk you should be able to get them for about 2p each, and its easy to implment just find a SMS supplier with a API.

Although you can use the technique above it is overly complex and still wont be fool proof, and can easily be worked around.

Answer 3

This is really unreliable.

Problem

If anything changes (for example the browser is updated, not mentioning it can be just switched), your hash will not be matched and the same person will be able to start the trial again.

Same problem when you store some session / cookie data - the cookies can be cleaned (and cookies usually store identifiers for sessions).

Solution

The problem you are facing can be solved probably only by registration - you can simplify this as much as possible by using OAuth and allowing people to sign up using their existing accounts from other providers (Google, Facebook, Twitter, Linkedin etc.)

Answer 4

You are trying to uniquely identify a person in javascript. This is something that is generally impossible to do on the web - partly by design, to maintain anonymity. The best you can do here is set a cookie, and check for the cookie when the user try's to change their IP address. They will always be able to clear their cookies, but that's about all you can do.