Didn't know that it was even possible to create multiple accounts with the same e-mailaddress? Isn't that usually the case on most forums(like PHPBB-based forums)?

superfury wrote:

Didn't know that it was even possible to create multiple accounts with the same e-mailaddress? Isn't that usually the case on most forums(like PHPBB-based forums)?

The users must've used multiple e-mail addresses. The registering system should go by IP addresses as well to prevent multiple accounts for one person.

superfury wrote:

Didn't know that it was even possible to create multiple accounts with the same e-mailaddress? Isn't that usually the case on most forums(like PHPBB-based forums)?

I was going to do a test to verify, but it looks like making new accounts has also been disabled for now.

bjwil1991 wrote:

superfury wrote:

Didn't know that it was even possible to create multiple accounts with the same e-mailaddress? Isn't that usually the case on most forums(like PHPBB-based forums)?

The users must've used multiple e-mail addresses. The registering system should go by IP addresses as well to prevent multiple accounts for one person.

Not sure if an IP address should/is locked to a single account.

What happens if you have a friend over and they want to make an account while at your house? It won't let them because they are trying to make an account from an IP address that is already used?

Besides, most ISP's don't generally assign static IP addresses to an account. It will change every once in a while.

Well, the problem is in the combination of those: The only thing the php server(or any website hosting server in general) has is the computer's public IP address. So that can be the modem/router that's connected to the provider. Everything past that(individual computers connected with an internal IP address and finally the user account on the computer(which is OS-dependant)) isn't sent to the server and unknown to the php script running on that. The only thing it knows is the IP address(the modem/router itself) and the cookies(which are under control of the webbrowser/user and thus can be manipulated/deleted manually). So there just isn't enough information to block such an user, except when it is 100% guaranteed that every computer on the world is connected to a seperate ISP-connected modem with a public IP, which doesn't change(which it does, due to providers freeing up and reusing IP addresses), which is impossible. So essentially, it's impossible to filter those users out afaik.

Afaik there isn't any way(with current ISP->modem->router->multiple PCs->multiple OS->multiple accounts->multiple browsers(->multiple subaccounts)) to actually block individual users that are doing that, since their paths(everything from and including the modem itself, which is all PHP-servers have afaik, based on the $_SERVER provided data) are unreliable sources.

Afaik the whole reason cookies are used for storing login links(e.g. something like a session id and possibly other data to compliment/secure the session id) is to fix the whole problem of multiple computers/accounts/browsers and enable(until manually/automatically deleted) identification of such sources(by linking the account/session to such a cookie until logged out/deletion of the cookie).

Of course, the whole manual editing/deleting of such cookies is a security risk as well, which should be protected against server-side. But imagine this: when someone is logged in and gets banned(or blocked etc.) all he/she has to do to create a new account to use is simply delete their cookies. From, that point onwards, the user is completely unknown to the server, except for their public IP address, which might be their home, company or anything else. Simply blocking such an IP would block all devices connected to that address(unintended probably), until the ISP randomly decides to reassign the IP addess, at which point some potential unknown user receiving the freed IP gets permanently unable to edit posts and/or register etc. and the trouble maker once again can cause havoc on the forums). And of course, anything past the modem(except cookies) to identify the user is illegal according to law afaik.

Don't forget that you could just use your mobile phone network to get a second IP address and make a new account with that, or using proxies...

They could always force a 2-factor authentication method.

E-mail and password.

Password and auto-changing key (like the Blizzard, MS, etc. authenticators).

And if say, an account is not active for a certain period of time, make them have to re-verify via email.

Make it as difficult as possible for people to have multiple accounts.

cyclone3d wrote:

They could always force a 2-factor authentication method. […]
Show full quote

They could always force a 2-factor authentication method.

E-mail and password.

Password and auto-changing key (like the Blizzard, MS, etc. authenticators).

And if say, an account is not active for a certain period of time, make them have to re-verify via email.

Make it as difficult as possible for people to have multiple accounts.

2-factor sounds like a great idea.

But even so, 2-factor authentication prevents other people from using your account, not you from creating another account. Also, afaik 2-factor authentication doesn't limit count in any way, so the problem with multiple accounts will still persist.

Although I do agree that it's good to have, to prevent other people from hacking your account(still does nothing to mods, if that's the problem). The only way around is to block the mods in question. Seeing as new accounts aren't mods, as long as they're not making other mods continue, they can't edit posts directly. Probably the only way to make them stop permanently is to ask the offender's ISP provider to block access?

It's getting pretty annoying posting something, seeing a typo which I can't edit(or be bothered to go all the way contacting a mod for a simple three-letter word(Btw at the start of my last post), since it sounds kind of ridiculous to start with(Phone OSKs and typos, impossible to fix 🤣 )).... Hope it's resolved soon. Any ideas how long it's still going to take?

Whoops, Btw=>But. Another example of my frequent editing... Aaargh..... 😖

Disallowing free email domains (especially receive-only throwaways) should help.

edit:Test

leileilol wrote:

Disallowing free email domains (especially receive-only throwaways) should help.

THAT should have been, I dont know.... ALWAYS? Since those are especially odd to use: imagine losing your password and needing to use password recovery. But there's no mail to contact from registration(temp. email account deleted). So those shouldn't be allowed anyway?

superfury wrote:

leileilol wrote:

Disallowing free email domains (especially receive-only throwaways) should help.

THAT should have been, I dont know.... ALWAYS? Since those are especially odd to use: imagine losing your password and needing to use password recovery. But there's no mail to contact from registration(temp. email account deleted). So those shouldn't be allowed anyway?

I agree. A lot of people are making temp emails or fake emails to sign up on here. It's sad that they do that.

asshole123 wrote:

it sure would be sad if one told Disney about how this site is using their IP without permission

That sounds like something my 10 year old nephew would say if I refused to give him what he wants. 😁

I hope the mods at least get a few good laughs out of this drama. 😎

Regarding fake e-mails, they can never really be stopped and I think they shouldn't. Some people like to be anonymous and it's not always for spamming or other bad reasons. On one of my forums I'm checking against a regularly updated list of fakemail providers but people are still able to sneak through that. It's like tilting at windmills.

Great ideas here but most not really feasable. It’s to easy to get a gmail or outlook email address and you cannot just disallow those, so banning whole providers is just useless.
2FA isn‘t something for a little forum 😀

Damn.. I misspell words all the time and do other grammar failures due to English is not my native language. Missing the edit button would be annoying and ask for permission to edit would suck. I usually spot my failures within mostly the same day so a time limit would for ME be okay. After one week i dont need to edit, but i understand that others do. Maybe a time limit on new accounts would be appropriate?

By the way, I hope this gets fixed and solved soon, a time limited EDIT isn't good for most big threads such as benchmark ones which needs to be updated, or other kind of lists.
Even I use the edit feature a lot, not much for grammar adjustments on my posts, but to give updates on certain posts on some threads.