views:

348

answers:

3

Hi guys,

I've been reading up on stackoverflow about creating voting systems in PHP that minimize abuse/multiple voting from the same user, but I haven't come across the answer to my question.

I've got an application where users don't need to register to vote or "like" an entry. Obviously, I want to minimize abuse and I don't want to limit votes per IP address because some organisations (mine included) use shared IP addresses.

I've never used sessions in a non-authenticated system before, but since this application is centered around entry votes (used for purely entertainment value, but I'd still like to minimize abuse) I was wondering if this approach would work and whether there were any disadvantages such as performance implications, and whether it's even possible to use sessions in this way:

  • start a session when the website is loaded
  • allow one vote per item per session

If this is a bad idea, my alternative options would be to allow a reasonable number of votes per IP address (say 25), or put a time limit between votes from the same IP address.

What do you guys recommend/what do you think would be most annoying for a user? Restarting a browser, waiting 5 minutes between votes or clearing cookies?

A: 

Only session is bad idea, because if you close the browser and come again you will be able to vote. You can use session as "help". The best option is to use ip limiting. Also you can use cookies, but it is again just a "helper", because you can clean cookies from browser. I suggest you use ip limiting like you said, one ip can vote 25 times and use cookies to limit a computer from voting more than once. So if a user want to vote more than one time, he can delete a cookie, but he won't be able to vote more than 25 times.

kasp3r
+5  A: 

There is really no way to make a "serious" voting system without user authentication, all other options have flaws:

  • sessions end when you close the browser, so just reopen it and you'r fresh
  • cookies are your best shot, but they can be cleared or even refused
  • ip addresses are unreliable and/or not applicable
kemp
Sessions do not automatically end when the browser is closed. You can make sessions that last a lifetime (or at least until the cookie is deleted). In that regard, they're equal to your option #2, since sessions are realized using cookies.
deceze
The do automatically end when the browser is closed, per default behavior. You can change that, but then you have the same problem you have with cookies. Sessions work without cookies too.
kemp
+1  A: 

I agree with kemp that cookies is the best choice. Furthermore, sessions also use cookies - the difference is that session cookie is deleted when browser is closed, "simple" cookie - when it expires, which is "better" in this case.

If talking about IP addresses, users can use proxies to bypass "IP filtering".

When voting finishes, someone might go through results to see if there's anything suspicious (like 100 votes from single IP in 5 minutes) - that would help getting more truthful results.

binaryLV
Why is everybody saying sessions end when the browser is closed? That's nonsense. That depends on the type of session/cookie used.
deceze
Well, I say that partly because I clear out cookies when I close my browser, and encourage others to do the same.
gnud
deceze, that's because it's *standard* PHP's behaviour, when using `session_start()`
binaryLV