How do you create a unique id which cannot be faked?

Question

I have a .NET client app and a PHP server web app.

At some point, the .NET app will have to be identified by a unique id and pass that data to the webserver by http post. The web server will respond with some data and store the unique id in a database.

Assume that I have a malicious user and I would like to ban him by the unique id. So in my opinion there are two important things about this unique id:

• The unique id has to be really unique and always the same per computer
• A user should not be able to trick the system (a banned user could generate a new id and post it manually to the web server to receive new data)

How can I make sure that the unique id cannot be (easily) generated by a user?

How can I make sure that the unique id can be verified on the server for validity?

What is the usual approach (algorithms, encryptions?) here?

Answer 1

Okay so here I summarize:

• Of course there is no perfect security system. Jeremy Miller
• Dan's answer is not correct because a MySql UUID is not device dependant and so not fulfilling the condition "the id should be the same per computer"
• I should generate an id (like UUID), store it somewhere on the computer in an encrypted form, include a seed in your code then transmit a hash of the id with the seed to your server, requiring every call to include that hash along with some other component which you also include in the hash to verify. Jeremy Miller
• This approach is not fool proof because everything stored locally can be removed but at least it is hard to guess a valid generated hash