I am trying to track users reliably on my website so that if they are abusive, they can be banned and not come back easily (obviously this can be bypassed with TOR and such, but most trolls don't care that much). I have some data that can be set from my server onto the browser and is guaranteed to be unique because I have set the data myself. However, this data is also easily deletable (clearing cache, clearing cookies, clearing other site data). I have some other data (fingerprinting data) that is extremely difficult to remove or change but can easily conflict with other devices which have the same fingerprint. Here is the data I could collect:
Storage/caching (guaranteed unique, deletable): Cookies, HTTP ETags,
localStorage, indexedDB, FileSystem API, Last-Modified date echoing
Fingerprinting (possible collisions between devices, difficult to delete):
canvas2d, WebGL,
font list, screen size,
IP address, plugins installed
And a bit more. All I know so far is:
- Trust the unique identifiers first
- If unique identifiers conflict, choose the majority
- If I identifier a user based on his/her unique identifiers but their fingerprints are different, update their default fingerprints to match
Can you help me decide what to do in any given situation, e.g., a user has deleted all of his/her storage/caching data but the fingerprints remain? What happens when fingerprints conflict in some ways but not in others? What are the probabilities that this is a new user or a returning user?
