Tracking anonymous users

Let's face it, having to create an account is probably the number 1 reason that users avoid doing anything trivial on the web. By trivial, I mean things like commenting on blog entries, posting content, playing online games, etc.

It just so happens that these are generally the type of things that could most benefit from allowing anonymous interaction.

The challenge is tracking users, so they can maintain at least a minimal account-like status. For instance, if a user anonymously submits a comment to a blog post, they may want to later edit that comment. But, there's no way to allow this without tracking the user in some way.

The most obvious way to track a user is the session scope. Using the blog post comment as an example, this would allow a user to edit their comment as long as their session is alive.

But, if they want to come back tomorrow and edit their comment, the session scope is out of the question.

This is where cookies come into play. There are essentially two options with cookies:

  1. Identifying the user by their IP address, user agent, or other uniquely identifying factor
  2. Assigning a random identifier to a user

Both options require that you store the identifier in a browser cookie.

Option #1 is more flexible. If you encrypt the users IP address and store it in a browser cookie, as well as in your database table, you could later re-identify this user as the owner of a given object (a blog post comment, for example). However, it's quite simple to spoof an IP address or user agent, so all a malicious user would have to do is know another users IP address to gain full access to their content.

Option #2 is safer. However, option #2 will only allow anonymous account access to one browser (as opposed to option #1 allowing access to any PC/browser combo sharing the same IP address). With option #2, you simply assign a random identifier to a user, then store it in a browser cookie, as well as your database table.

It would seem, that option #2 is a nice alternative to forcing a user to create an account.

Subscribe

  • follow us in feedly


Tagged , .

Updated: 2011-08-28

Phil LaNasa