I’d like to put up some tests for users etc, and would like to store the results on an anonymous basis. I am not interested at all to potentially track down users, but on the other hand I need a way to avoid repetitive submissions (within a certain timeframe). So my thought was : why not simply just store a hash of their IP address and check followup submissions against these instead of saving the actual IP address?
It sounds so simple that I am worrying about having missed something, so my questions to the experts is:
- does it provide a relatively safe way to prevent repetitive submissions?
- does it really provide reasonable anonymity for users?
- are there any other caveats or issues I may have missed (like being overly resource intensive etc.)?
thanks..
No, users can use a proxy and other approaches to bypass IP checks. Let alone dynamic IP users which can just reset their modems.
Single-way algorithms would provide the best “anonymity”, as you technically can’t reverse it in an easy way. Edit: as rectified by @ta.speot.is, even single-way algorithms can be easily cracked nowadays.
I also don’t see why taking “anonymity” to the level of hashing IPs, provided your users are accessing your page through HTTP, your server WILL know their IPs and log them in an access log, so, unless someone else has access to your database’s stored data, there’s not much difference between hashing the IPs or not.
A simple hashing function shouldn’t take much resources from the server, even though you didn’t specify any language in particular. =]
In the end, hashing IPs may be considered a Security through obscurity attempt, as it adds no functionality that storing an un-hashed IP already has.