views:

70

answers:

3

If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.

Client side cookies can be deleted and server side cookies again have no way to reliably map said cookie to the anonymous user.

Does this mean there is no reliable way of tracking anonymous users indefinitely?

A: 

Yes, there is no certainty in tracking IP addresses or using cookies.

Andy West
+1  A: 

If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting

Unless that page is extremely popular, it's very unlikely that someone else being assigned the same IP address by the ISP would also visit it.

Edit: Users using the same IP address due to NAT are a much bigger problem and probably a deal-breaker for using the IP address. I'd be less worried about corporate networks than about private home networks: very common, and having two people in the same household wanting to visit and vote on the same site is rather more likely than two random strangers.

and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.

It's not just a question of time; most ISPs assign IP addresses upon connect, so all someone has to do to get a new one is to reinitialize their DSL connection (or whatever they use).

Does this mean there is no reliable way of tracking anonymous users indefinitely?

Correct.

Michael Borgwardt
Thanks for clarifying. Any numbers available on the likelihood?
stef
Not really, that depends on too many factors. But the biggest one would be the popularity of the site.
Michael Borgwardt
+3  A: 

Using only IP addresses for user authentication/identification is extremely unreliable. There might be many hundreds or even thousands of users behind one IP (e.g a corporate network) and for most of those on home connections their IPs are likely to be dynamic and regularly changing.

You have to use Cookies for more reliable tracking. You can specify just about any time-to-live for a cookie, so that when an anonymous user returns, you can identify him.

Of course cookies can be deleted by users, so they could delete their cookies and vote again. However, is this likely to be a big problem? If someone really wants to game your poll, they could write a script. However, you could add a few basic security features: only allow some maximum votes per IP per day, and allow only so many votes per IP per second.

Richard
"There might be many hundreds or even thousands of users behind one IP (e.g a corporate network)" - had not thought of that, thanks.
stef
@Richard, thanks for your answer.I've never dealt with anonymous users situation, now I have to implement this functionality.How do I do it? can you refer me to a good tutorial about it? I need to collect steady data like voting, comments, etc. from anonymous users based on cookie, but I don't want to store these users like 'Users', i only want to save their votes, comments, and their IP source, so I can know what country it is from - for statistic trackings.Tx
Shimmy