Cyber Defense Advisors

Counting Unique Users on a Web Site

Fooled by the proxy

When you are counting unique users visiting a web site you cannot base it on IP address.

Why? Because large companies have users behind a proxy a lot of times and all the traffic will come from one IP address. There are numerous other users and internal IP addresses behind that proxy.

So for example, if Medium says I have 400 visitors per day on average and only 7 of the were under 400 and most were upwards of 600 to 1000, then I doubt that many people are repetitively looking at my stories. I mean, how many times does one person need to view one of my blog posts?

If you want to figure out what unique users are behind the proxy, you could try to use fingerprinting but in a corporate network, most of the users are going to have a matching user-agent as well, since they all use the same corporate software in many cases.

You could try to use cookies, but you also have to consider cases where the cookies get blocked, to be fair. Not all users will let you store a cookie in their browser so then what happens? Do they get blocked?

The only foolproof way that I can think of at the moment (though it is late) is to base readers on authentication where a user logs in — but some people won’t log in to read a store even it if is free. I usually don’t.

Even then, one person might buy a membership and share it with a bunch of other people. How do you detect that? Simultaneous users, different IP addresses, for one thing. You can’t just base it off IP changes though and you may have a case where the same user is looking at the content on their phone and a web browser at the same time.

The other thing is, if you base it on IP address, you could have multiple people using the same VPN service, or you might have people who live in the same house reading the content on the same computer. In that case they would also have the same web user agent.

So it’s not really fair to try to compute unique users without a really clear way of distinguishing those users.

Also, you could have another scenario, like a bunch of Google bots from different IP addresses. Do those count as readers?

What about people trying to game the system with their own bots? How do you tell if someone is manipulating the traffic?

I’ve dealt with all these things in the past and not easy, but those are gotchas for anyone trying to measure their web traffic and unique visitors.

Teri Radichel

If you liked this story ~ clap, follow, tip, buy me a coffee, or hire me:

Medium: Teri Radichel
Email List: Teri Radichel
Twitter: @teriradichel
Twitter (company): @2ndSightLab
Mastodon: @[email protected]
Post: @teriradichel
Facebook: 2nd Sight Lab
Slideshare: Presentations by Teri Radichel
Speakerdeck: Presentations by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Buy me a coffee: Teri Radichel
Company (Penetration Tests, Assessments, Training): 2nd Sight Lab
Request services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

Counting Unique Users on a Web Site was originally published in Bugs That Bite on Medium, where people are continuing the conversation by highlighting and responding to this story.