I am building a simple website where users can try a website without registering. I basically create shadow account and log users in without them knowing, so I don't have to bother with functionality of not-logged in users.
I then set the cookie to a user so they can come and use website anytime later without loosing any data.
The problem is that there is lots of scrappers, bots, crawlers... These bots are unintentionally creating a new account every time they visit, because they are not accepting a cookie and I cannot identify them on 2nd visit. And some of them are visiting frequently so I end up with 10's of thousands of accounts that are never really used.
Few things came to my mind:
- Expire/remove user if there is no further action on the page (Seems like best idea)
- Detect if user accept cookies (this requires that I redirect a user and validate that he can accept cookies - not sure how efficient/slow this is)
- Parse user-agent and identify the browser if unidentifiable it is a bot (I'm not sure how reliable this is)
What are my options to address this issue, what do you suggest?