5

I'm building a small application that highly depends on anonymous user voting on some sort of items. It's so small that requiring registration would be tedious and could not be justified.

Anyway, I did some research on this, including a search here on stackoverflow (https://stackoverflow.com/search?q=anonymous+votes), and doesn't seem that there's a satisfying answer.

My question is: are there any security measures that I can apply to prevent gaming anonymous votes?

One thing comes to mind is CAPTCHA, but I'd like to avoid that since users will vote on multiple items in a very short period of time, and CAPTCHAs will just annoy them.

Another thing I thought of is limiting the number of votes per minutes from a single IP (in addition to a cookie), but not sure how this is going to work.

Any thoughts?

Community
  • 1
  • 1
KeyStroke
  • 1,455
  • 5
  • 19
  • 24
  • Is it possible to have everyone who is voting create an account on the site (and then limit people to one account per email address, or something) but then just not have the account information tied to the vote? In other words, anyone with access to your database would know *who* voted but not *which choice* they voted for. – Tyler Feb 12 '10 at 03:29
  • IP are often used, but a proxy can pass the security, a captcha is not user friendly, but efficient, cookies and session are even weaker than IP. If you feel bad about IP checking, ask yourself a question : what is more important ? user friendliness or security (because few people take time to vote with proxy...) – Julien Feb 12 '10 at 03:35

3 Answers3

2

There are a few ways I've seen work:

  • Email registration : you get their email, they need to confirm their vote. The combination of their IP + email makes a unique record that they can't then use to vote again (for the same poll).
  • Captcha : without having additional checks (IP, etc), it's easy enough for a team of monkeys to successfully enter a lot of captchas.
  • Site Registration : without account creation level limits (e.g. a non-free email account required for signing up) people can just create multiple accounts.

Depending on how you weigh up the cost of getting users to vote vs making sure their votes are for them and them alone, you can use a different level of vote-spam-protection.

glasnt
  • 2,865
  • 5
  • 35
  • 55
1

You can use the CAPTCHA once to both confirm the vote and create a session with the IP and cookie.

CookieOfFortune
  • 13,836
  • 8
  • 42
  • 58
0

Any time you are dealing with anonymous voting you are going to have an imperfect solution but you can shoot for "pretty good". Consider dropping a cookie on the client computer to prevent multiple/frequent voting and back this up by performing server side IP tracking to do the same. Do not allow anyone to vote that has cookies blocked.

Of course, if you require complete accuracy or if the voting involves awarding of something of monetary value, registration is really the way to go.

James Conigliaro
  • 3,809
  • 19
  • 22
  • The cookies solution is imperfect because, rather than blocking cookies entirely, people could just delete the cookie, right? – Tyler Feb 12 '10 at 03:57