0

I would like to build a vote website, something like a +1 of facebook.

Is there some best practice to deal against cheat ?

Best way would be to use facebook, twitter and/or google to have unique user but I would like to let Anonymous user to vote.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Charles
  • 11,367
  • 10
  • 77
  • 114
  • You could check on IP address and user agent. This will keep the possibility for users to use a proxy but will greatly reduce abuse of your voting system. – Mark Verkiel Jul 30 '12 at 11:17

2 Answers2

2

You could ward against massive automated cheating using some form of a proof-of-work system. That would require browsers to invest some computation into the vote. A single vote shouldn't take too long, but bulk-voting would require serious computational efforts. Using JavaScript for this voting would also mean that any bulk voting mechanism has to come from a JavaScript-capable browser (or browser emulation), so simple scripts generating HTTP requests would be foiled as well.

A single user manually clicking multiple times won't be considerably delayed by this approach, though. So combine this requirement with logs of IP addresses, user agent strings, cookies, perhaps also flash cookies. The cookies would help to identify a single dial-in user trying to vote repeatedly using a sequence of connections. Although the measures just listed are easily circumvented with a large scale automated cheating attack, they should deal nicely (although not perfectly) with manual voting. So I believe that the two solutions should complement one another quite nicely.

You might want to block anonymity networks like tor. The block should only affect the voting, though, as you'll want to allow anonymous users to view your site, right?

You might also consider requiring unauthenticated users to solve a CAPTCHA. Depending on how important the votes are, and how many of your users are unauthenticated, your users might or might not be deterred from voting by this measure.

MvG
  • 57,380
  • 22
  • 148
  • 276
1

From my limited experience, if you don't require authentication, the system will most likely be cheated one way or another: there is no real bulletproof way to tell who is who, unless you record a lot of data pertaining to the client which might be statistically considered unique as a whole (but you can't achieve 100% certainty with this approach).

Of course, if you expect 10 users it's way easier than if you gotta handle millions. IP + user agent check will most likely be fine in the first case, but it would not be very good in the second (NATs come to mind).

Lastly, you have to consider the likelihood of cheating, or in other words: are your users really going to try and cheat the system, or you can get away with checking informations that can quite easily be forged ?

Alex
  • 23,004
  • 4
  • 39
  • 73