views:

1371

answers:

8

What I really want is to limit 1 vote per person but the next best thing i can think of is limit 1 vote per IP address to prevent malicious users/hackers from severely tempering with my company's voting system. I was thinking of using a database to keep track of the IP addresses.

Update: Sorry about not being clear in the first time aruond. What i wanted to know if limiting 1 vote per IP address was a good strategy to limiting 1 vote per person. Basically, i wanted to know if 1 unique IP address is roughly equal to 1 person. People have already mentioned that proxies and routers re-use ip addresses so unfortunately, many people can be using the same ip address.

Thanks. I think, for my case, it'll be best to NOT limit 1 vote per ip address.

+1  A: 

Yes, use database. Don't rely on cookies, they can be easily deleted.
IMO, so far, IP based voiting limitation is the best option.

Andrejs Cainikovs
-1 for the IP-based blocking: unfortunately there is a very non-trivial amount of sites on the Internet that have many users behind a single IP.
Andrew Y
Yes, but the only working way if you want suppress voting cheating.
Andrejs Cainikovs
+3  A: 

Generally, yes, what you would do is have a database table for the votes, and simply store choice+ip address - then when inserting, do a DB query to see if an entry already exists with the given IP.

The ideal solution would be to tie votes to user accounts which are in turn linked to more concrete presence (such as a credit card, cell phone, or other less-easily-multiplied identity source).

What exactly is the question you're asking?

Amber
+11  A: 

If you use IP addresses then you'll be limiting most companies to only one vote because they route all outbound internet traffic through a firewall or proxy server. We did this a couple of years ago and found that all AOL traffic came from only 5 ip addresses.

David
You had problems with AOL as well eh?
IPX Ares
+9  A: 

I would suggest not going with the IP approach. When I looked at this before some of your large ISPs reuse IPs a lot (AOL...), but if you do use IP addresses, use a database to track them. A fast way to do it is to make it a unique key and to catch the exception as "already voted".

One good thing to add is not to show a user that their vote was not counted, just show the results, or thank them for voting. By not giving that specific error, it is harder and sometimes not even noticed by your problem users.

IPX Ares
another thing I have found to work good... add an increasing timer delay for the user if they have a cookie. Sure they could delete it, but again, not showing that you are actually doing anything, and just slowly taking longer to vote every time will slow down voting scripts to the point they are not really working. (You could do same with IP Addresses).NOTE: This is also a good technique for username/passwords rather than locking accounts.
IPX Ares
A: 

IP addresses can be spoofed too. Since the malicious voter doesn't actually need the reply packet, he could generate vote requests with random IP addresses.

Still, IP address limits are probably good enough for most purposes.

Eric J.
You'd have trouble establishing a TCP connection with that technique. Without it, you can't send the request at all.
Thorarin
A: 

This is a product related decision and the product's description has to be taken into consideration when deciding on what elements should be checked for avoiding duplicate votes.

Saggi Malachi
A: 

IP address has its limitations as we have noted from above, but there are many other characteristics a browser has which can damper mischeivious voters. BrowserID, for example, is different for just about every browser. You could use a combination of BrowserID and IP address to create a unique ID.

+2  A: 

The way I have always done it is to concat the user agent and ip address into an MD5 hash (in some cases this will allow people from the same IP to vote, long as they are using different browsers), and store that as a "fingerprint" for the vote the the database and add a unique key to it. As IPX Ares said, from there you can catch the duplicate key exception, and you should be good.

If you wanted to allow people to vote once a day, you could also append the Ymd to that "fingerprint", or other variations to allow x amount an hour or x amount per day.

Dan Bair