5

I want to prevent users from voting more than one time in my website, I used two methods to do that, but no one do that well !!

  1. using cookie.
    the problem : users can delete the cookie and return to vote again and again ..

  2. using database table.
    The problem : users shouldn't forced to register in my website !

So, How i can solve this problem ?

Dot Freelancer
  • 4,083
  • 3
  • 28
  • 50
  • 1
    @Ben - If the users ISP provides dynamic IP, then ? – Bibhu Dec 28 '11 at 15:17
  • @Ben what if the user vote from company computer ? all the users in this country will prevent from voting ! – Dot Freelancer Dec 28 '11 at 15:18
  • 2
    Ask them to provide their social security number, date of birth and a credit card number of course. If you don't want them to register for your site, you could always consider using OpenID? – Dismissile Dec 28 '11 at 15:22
  • Possible duplicate: http://stackoverflow.com/q/1352232/161640 – Isaac Dec 28 '11 at 15:27
  • @Dismissile OK, I think this solution will be the best one . – Dot Freelancer Dec 28 '11 at 15:27
  • How scientific does it need to be? How long does the voting question last? A day? A month? – Kris Krause Dec 28 '11 at 15:28
  • @Bibhu, unless anyone's come up with a way to uniquely identify every computer over the internet it's highly unlikely this will ever be perfect... and if anyone has it's not very likely they're going to post it here for free. – Ben Dec 28 '11 at 16:22

4 Answers4

6

You have your two answers, you need to decide which is best. No option is going to be bulletproof. It's all about slowing them down, and what level of effectiveness is acceptable for you.

A cookie is generally the acceptable way to do this. Yes, cookies can be cleared, but if the desire to prevent duplicate voting is that important, than registration is the only effective way to prevent it. Any other mechanism could probably be beaten by those that want to. You could use something like Evercookie, but I don't generally think it's a good practice to do so. If you make your registration process simple, but effective, some users will do that.

An IP address is just as flawed as most redisential IPs are not statically assigned. Someone could reset their modem, and get a new IP address. Or worse, someone could reset their modem, get an IP address that has already visited the site, and be unable to vote. Another scenario is users behind NAT. If 200 people are sharing an IP with NAT, then only one of them will be able to vote.

You could get creative with the IP address though. Keep using the cookie, because that will be effective. If you start detecting multiple votes from the same IP address (because they cleared their cookies), display a CAPTCHA. If it isn't someone trying to abuse the system, then they still get the opportunity to vote. This will help defeat automated voting, and slow down users enough that abusing your voting system isn't worth their time. This as well, can be defeated, it's what level of effectiveness is acceptable to you. Even registration isn't purely 100% effective, but probably the most effective. What would stop someone from registering many times with different email addresses?

vcsjones
  • 138,677
  • 31
  • 291
  • 286
5

I dont think you have many options as you are not forcing users to register. You need to use session or cookies. As pointed out in comments you can also check the IP Address. But if intended audience uses dynamic IP address assigned by their ISP, then this solution also failed.

If possible you can ask user to registered with their facebook/google id, like stackoverflow is doing

Raj More
  • 47,048
  • 33
  • 131
  • 198
Aniruddha
  • 3,513
  • 6
  • 27
  • 38
0

There isn't an infallible way to accomplish what you want from a web application and specially without requiring users to register.

Icarus
  • 63,293
  • 14
  • 100
  • 115
0

This site (Stack Overflow) does it right, by registration. IP is a really bad idea because all the folks behind a proxy/server can't vote. Most folks have mulitiple browsers, you don't even need to delete the voting cookie to vote again, just use another browser. As mentioned, OpenID is the lowest impact + highest security route. They can get around that via multiple accounts.

RickAndMSFT
  • 20,912
  • 8
  • 60
  • 78