Profiling a user through cookies?


Is there a simple way I can use cookies to track users even when the IP changes? So I can find out if the same user is logging in from multiple IPs etc?



Yes, cookie can help you to identify a returning user BUT, what you are planning to do when user removes a cookie (user is able to remove a cookie at every moment)?

You can use combination of IP address and cookie, but once again, user is able to change both and your system will not be able to track.

If you are trying to disable user from logging in from different devices, then you can read this post.

Hi mate,

Thanks for your response.

I understand the issue with clearing cookies etc but right now I am dealing with people I dont think are that smart.

So I am guessing the _identity cookie is the best one to use? So I am guessing I would register an onBeginRequest event to run a function that shows the IP they are coming in from? Then I can consider how to deal with the user. BTW would I need a way to link new cookies to the user when a new cookie is generated?

BTW the single-device login concept is something I am looking into but I would like to set up the cookie trap first so see if I can catch some culprits.

Thanks again!

There are a lot of possible implementations. Usually in my project I create my own controller called ApplicationController which is extended from Yii base Controller class. All other controllers in my application are then extended from this ApplicationController.

So when I want to perform something for all controllers, then I just put that code in init() function of ApplicationController, and that is exactly what you need in this case, although you can do it with events.

[color="#1C2837"][size=“2”]I am dealing with people I dont think are that smart - Don’t be so sure. A lot of people are browsing interntet today in Incognito mode which automatically deletes all cookies after browser is closed.[/size][/color]

Here is example of code:

$cookies = Yii::$app->request->cookies;//Get cookies collection

if ($cookies->has('tracking')){//Check weather cookie is set

	//Here you know that your user has a cookie so you can perfoms some logic with DB or similar

	$informationStoredInCookie = $cookies->getValue('tracking');


//Renew your cookie so it expires 1 month from this moment

$cookies->add(new \yii\web\Cookie([

	'name' => 'tracking',

	'value' => 'any value you want for example USER ID',


	'expire'=>time() + 60*60*24*30//1 month



“Don’t be so sure. A lot of people are browsing interntet today in Incognito mode which automatically deletes all cookies after browser is closed.”

It’s actually not a life-or-death thing and I already know the people doing it are being quite obvious about it. I would just like to implement something that I can use going forward.

Similar to you, I currently have my own controller from which all other controllers extend and I am currently using beforeAction() to grab the user ID and IP and log it in the DB along with a timestamp column.

"any value you want for example USER ID"

I am not an expert, but I would imagine it would generally be considered safer to not expose the PK of the user (or of anything else)? Perhaps a randomly generated hash string stored in their user table record would be preferable? Also, whereas I know you were just providing a simple example (and thank you for doing so) but I would imagine using a cookie name like ‘tracking’ is probably not optimal as it exposes the functionality? Perhaps just a random non-descriptive string is a better solution?

I think a functional example for my requirements would be to grab the hash value in the cookie, query the user table for a match of this value and get the user ID from that, then log in another table the IP from the request obj along with the user IP? That should provide me with reasonably solid profiling? I understand that this is pretty much identical to the system I currently have but I am in a situation where I have logins provided to a small number of users of a cloud-based server and I have proof from the IPs have I logged so far that they have shared the logins with others, which they were forbidden from doing. So they will be told they have been tracked doing this and warmed to stop it immediately. I am verify which IPs were being used to people who were not supposed to be given access to but I would like a cookie system so if these unauthorized users attempt to access it again once they have been told to stop doing it, I will be able to track them by cookies (providing they do not delete cookies).

Does that make sense?

Thanks again!

Although it just struck me that the cookie in that case will be identical for all users, including the "real" user. So I need to find a way to make it machine specific. Can I do that by session IDs?

As I mentioned, I have a list of IPs that are known to be authorised users. So I think create a table of these with a unique hash in it. When they user logs in, it creates a cookie with a name used to ID duplicate accounts with the hash in it. If they log in after this behaviour has been cracked down on, I know they haven’t listened to the warning then I can take action accordingly.

Does that seem correct on a technical level?