4

I have a site where users can post and vote for posts. It is very critical to allow guest users to vote for a post, it also very important to avoid multiple votes from the same guest.

Cookies, can be easily deleted, so this can't be the solution.

IP, very bad if you consider NAT situations.

So I think, I need more advanced way to go, maybe other type of cookies..?

If anyone have experience in similar context please help.

nicael
  • 18,550
  • 13
  • 57
  • 90
ggat
  • 460
  • 5
  • 15

3 Answers3

4

What you only can do about not logged in users - is to make as hard as possible for them to vote second time. For example you may:

On the client side:

  • set cookie
  • write information to browser storage
  • use so called flash cookies

On the server side - store and check as much information about user as you can:

  • store user ip (including proxy ip etc.)
  • store browser fingerprint
  • store user timezone
  • block voting for this ip and browser fingerprint (permanently or for some time).

etc.

But you still can not stop smart and really wanting to cheat anonymous users from voting.

So it may be more useful not to try to block voting but to detect and ignore "duplicate" votes instead (i.e. votes for the same option from the same ip and browser combination for certain time period may be considered "cheated").

Sergiy T.
  • 1,433
  • 1
  • 23
  • 25
  • Just curious if you know any library, that abstracts these methods you listed to identify user, preferably on PHP. Would really help. I think it should be pretty common requirement for people. – ggat Dec 19 '15 at 16:45
  • @Giga unfortunately I do not know any such library. But from my experience I may say that storing ip and browser header combination works well (there are small chances that two users on the same ip have the same browser header). – Sergiy T. Dec 19 '15 at 16:49
  • And as you said, for duplicate vote filtering, that would be easily cheated if user creates HTTP requests manually and changes UA values. – ggat Dec 19 '15 at 16:51
  • @Giga It depends on what is the purpose of cheating. The more counter-cheating measures you implement, the harder it is to cheat, but it is still possible only it takes more effort and, as most of internet users are lazy, only small percentage will go to the "next level" of difficulty unless there is a cause to cheat (like post with most likes will get the prize). – Sergiy T. Dec 19 '15 at 16:57
  • T "like post with most likes will get the prize" That is the case once in a month and probably I will consider to ask authorization when voting for prize and just make cheating difficult for non prize votes. – ggat Dec 19 '15 at 17:00
  • @Giga than you may find that a lot of people are registering just to vote. To my mind it is still a sort of cheating - people asking friends to vote for them, registering fake accounts with 10-minute-mail to vote etc. It is only the question of how hard they will try (how valuable for them is the prize). So you need some system to "filter" those votes anyway. – Sergiy T. Dec 19 '15 at 17:07
0

yes the only semi-perfect solution is to track IP addresses. You can store them in a table permanently or cache them for a period of time in Memcache or similar. Of course, if the users are logged in, the best method is to simply check if the user has voted or not yet.

Sessions and Cookies are useless because one could simply write an automated voting algorithm that ignores session data.

Black Genies
  • 21
  • 4
0

If the user is anonymous and does not have to authenticate, you cannot prevent this.

If somebody really wants to vote several times, the user could just open the page on another device and vote again, even if you could identify his/her device with a kind of permanent cookie.

It seems you are already anticipating that there are users deleting their cookies to be able to vote again. You won't be able to stop them, but you can make it a bit harder.

lex82
  • 11,173
  • 2
  • 44
  • 69