What's the presumption for User.Identity.Name?

[gnewsgroup]

We have a requirement from our client. Basically, they wanna do an
online survey through a public-access web site (in other words,
anonymous access allowed), but do not want any user to do the survey
more than once.

We told them that this is not possible. But they insist that it is
possible and said that they did that before by getting the user
identity through:

System.Web.HttpContext.Current.User.Identity.Name

To my understanding, we can obtain user identity through this line of
code above only if some kind of authentication is required to access
the web application, for example, Integrated Windows Authentication
(IWA)

The web application may or may not prompt the user for his/her user
name and password if we turn on Integrated Windows Authentication,
depending on the security settings of the browser and domain of the
computer. Our client does not like this IWA idea and said that some
trick in Web.config would make it possible to allow anonymous access
and meanwhile to be able to retrieve user identity.

It's very clear that they want the survey to be anonymously accessible
and at the same time want the user identity of the survey
participants.

My understanding is that this requirement is intrinsically
contradictory. I am not sure what trick can make this happen. Any
idea to share? Thank you very much.

 

[Mark Rae [MVP]]

My understanding is that this requirement is intrinsically
contradictory.

You are correct. Anonymous access means that client browsers don't need to
log on, so the website has no way of knowing who they are.

There are two things you can do, both of which offer no help whatsoever in
this situation:

1) you can store the client machine's IP address and prevent more than one
survey against the same IP address - however, IP addresses are laughably
easy to spoof...

2) you can store a cookie on the client machine and prevent the survey if
the cookie already exists - however, the user can simply delete their
cookies...

 

[Mick Wilson]

It's very clear that they want the survey to be anonymously accessible
and at the same time want the user identity of the survey
participants.

Can you describe the problem a bit more?

If the client's issue is that they do not want to restrict the survey
to account holders (rather than maintaining a sense of anonymity for
the survey taker), would it be possible to have the user's provide an
email address at the end of the survey, to which you could send a link
to "confirm" the survey for the system? Recording this email address
would allow you to restrict the pool of users (excepting those who go
to the trouble of using multiple email addresses). Something like this
should be about as effective as polling the default credentials sent
by the browser.