2

I'm writing a voting system in NodeJS and Express on the backend and React on the frontend.

What I'm currently doing is:

  • Save all user votes in localStorage
  • Generate Browser Fingerprint
  • On vote I check if the user has already voted through localStorage

On the backend side:

  • Save Browser Fingerprint and IP Address to a database
  • On vote I check if the combination of Fingerprint and IP Address already exists in the database and if not the vote counts. If yes, the vote is simply ignored.

Additionally I use express-brute to prevent brute force attacks

I'm aware that this is not secure at all and that a user can vote multiple times through multiple devices or networks.

My question is, how much effort does a user with malicious intentions need to put in to spam my application with votes? How would it work?

My customer wants to take the risk of users voting multiple times as long as its only easy for very tech savvy people.

Edit:

It doesn't really matter if a user votes 10-20 times as long as its not huge amounts. I'm just trying to secure my application from huge amounts of votes.

Timo Jokinen
  • 707
  • 7
  • 26
  • just clean the local storage and you can vote as often as you want. You can already vote multiple times by using different browsers, and/or different machines. – Burki Oct 18 '18 at 11:56
  • @Burki It doesnt matter if a user votes 5 or 10 times. A problem would be huge amounts of votes. On the same device / browser / network you can't vote again with only cleaning localStorage and the average user probably owns around 3-4 devices on which he can vote with multiple browsers each – Timo Jokinen Oct 18 '18 at 11:57
  • do not rely on ip for uniqueness. with NAT protocols it will happen that many users will share a public address – Lelio Faieta Oct 18 '18 at 11:59
  • @LelioFaieta my customer is aware and wants to take this risk too. Additionally I check for browser fingerprint which makes the combination much more unique – Timo Jokinen Oct 18 '18 at 12:00
  • In that case, to me (for whatever that's worth) your solution sonds okay-ish. But maybe you want to ask the guys over at [codeReview](https://codereview.stackexchange.com/) – Burki Oct 18 '18 at 12:08

0 Answers0