views:

2342

answers:

12

I'm planning to add some vote up/vote down buttons to a website I run. This seems easy enough but I want to stop people voting multiple times. One solution would be to make them register before allowing them to vote but I'd prefer not to have to force them to register.

Is there are a reasonably straightforward way of doing this? Checking the IP address doesn't seem like a good solution, since it's possible that multiple users may come from the same IP address.

Cookies might be the answer, but a savvy user could delete the cookie. Any better ideas?

A: 

You already named all usable solutions. ;) It's your task to decide now.

I'd recommend combining an IP and cookie check.

Lennart
Cookies are under control of the client, and therefore easy to avert. Not recommendable IMO.
Treb
A: 

There's no accurate way to avoid multiple votes from the same user, even if they don't delete cookies, they can use another browser, or another computer.

TFM
+4  A: 

I think it really comes down to the nature of your website, and how accurate your results needed to be.

Using a cookie seems like the best option, but it depends on the target audience of your website. Would they be tech-savvy enough to try and beat the system to allow them to vote multiple times? If not, the risk should be fairly low and this would seem like the best approach.

Checking against an IP address, as you said, may be too restrictive. But if it's critical for all votes to be from unique individuals, this might be the better approach even if it means some legitimate voters won't get to vote.

I thought of another option, but I'm not sure if it's possible or feasible. If you could combine the IP address approach with a hardware based check (e.g. MAC address of NIC) this would eliminate the IP address approach being too restrictive due to NAT within a LAN. But it wouldn't help the situation where you have a computer in an Internet cafe used by different individuals.

You should also use captcha (for non registered accounts) to reduce the likelihood of voting bots. If someone wants to maliciously cast multiple votes, making it more difficult for them to automate the voting process through bots will help to hopefully reduce the occurrence of such behaviour.

LeopardSkinPillBoxHat
MAC addresses are not exposed in http headers. Hence a web site can't use them
DanSingerman
@HermanD - Yeah that was a silly suggestion now that I think about it. Maybe another field in the TCP segment or IP header which is unique? The only problem is that the TCP connection will be reset each time, so this wouldn't be feasible either.
LeopardSkinPillBoxHat
@LeopardSkinPillBoxHat: also, without some deep-level-hacking of the webserver, you won't get at TCP data from your HTTP app (and that's a good thing, most of the time)
Piskvor
A: 

I think you should register user before he up / down vote. You can get a little piece of information from the user to get registered, so he does not bored or break his registeration. Afterwards he can update his account if he wants. IMHO this is the best solution.

Canavar
+14  A: 

Sorry I don't have a useful answer, I just want to share my experience.

About 8 years ago I worked for a site that ran online polls. We once got hacked by some bots voting on some of our questions several hundred votes a minute.

I had to implement some emergency checks: IP address, cookies, and I really don't remember what else.

At the end of the day we decided to take the polls down. Those damn robots just didn't care. IP adresses were spoofed, cookies were being deleted, etc.

If you really really need the polls to be unhackeable I don't see any other way that requiring registration and using captchas to avoid bots signing up for new accounts.

And the sad thing is that this was just an entertainment site with polls on what's your favorite color and things like that.

The only thing we didn't tried was using captchas because they didn't existed yet. That might have reduced non-human cheating a good deal.

Don't take this as any kind of expert advice on the matter, because that was the only time I had anything to do with online polls, but I remembered my story and wanted to share.

Sergio Acosta
You cannot spoof an IP adress?
Sam152
Under special circumstances, yes you can. Also, there is proxying and other means of changing your IP, and botnets and router hacking and whatnot. IP addresses are still good for many uses, but Fort Knox they are not
Jens Roland
I'm not an expert in TCP/IP, but I suppose you should be able to easily spoof an IP adress at the packet level if all you care is about making a request (like in a DoS attack) and you are not expecting to get the response back. But I know I could be wrong.
Sergio Acosta
@Sergio: it's not completely trivial for TCP/IP since even a simple HTTP request requires a handshake with the server which is rather hard to get right if you can't "hear" the servers answer.
Joachim Sauer
+5  A: 

So, you want to have each unique person have only one vote on each item. When a person tries to vote who has already voted before, you want to detect this. This means that you have to identify the person. There are no tricks to get around that.

Now, since persons can log in from any computer, identifying the computer doesn't help. This rules out IP checks and cookies, as well as anything else based on the user's hardware.

How to identify a person? You can't. You can only force them to identify themselves, by providing unique credentials, like a social security number (I think this is often used in Korea), a passport number, or similar. This, of course, doesn't help if you don't check it, since anyone can make up a 10 digit number with little chance of collision.

Even having the user register doesn't really help per se -- they can just register another account.

Svante
A: 

As has been said there is no 'perfect' solution.

As an attempt at an imperfect solution, how about storing a hash of the IP address and the User agent.

This would mean that different users from a given IP, which have different browser user agents, can still vote.

DanSingerman
A: 

Use a cookie-based approach, it is accurate enough for most entertainment-grade polls on the web. Stay away from IP restrictions. This would mean that only one person from larger companies gets to vote and that only one person in a family gets to vote.

cdonner
What about those who browse with cookies blocked by default?
random
They cannot vote.
cdonner
+3  A: 

I wonder if you could make it a multi-step process, to make it more difficult for BOTs.

Registering, or some similar task, gets you Cookie-A, and then when you vote you get Cookie-B, but if you have Cookie-B and don't have a suitable matching Cookie-A your vote doesn't count. If you try to re-register on the same machine that can be detected by you already having Cookie-A. Going through the steps too fast is treated as a BOT.

We had a psychometric test, with many questions, and users had to make thoughtful answers. An answer in sub-N seconds was someone just pressing buttons to get through it. We never told them that their answer was too quick, we just marked the data as "suspect".

So anyone trying to go straight to the Vote Button won't work. They would have to do Step-A, then Step-b then Step-C in order.

To re-vote I would have to clear cookies, re-register, read the blurb-page (whatever) and finally re-vote, all in the right order, and not too fast.

Requiring JavaScript to be enabled may help, as may a Captcha system. Captcha could have some sort of delay - "Please watch as the two words appear" so that there are two words, shown one after another, but "real words" so that they can be easily memorised, and then typed in. Any response that is "too fast" is not valid.

At some point people will just become annoyed and not bother though.

Kristen
A: 

Also a possibility:

let the user vote and fill out his emailaddress. The user receives a confirmationemail with a link he needs to click in order to confirm his vote.

But this way, the user also has quite some overhead.

Or do this in combination with registered userss (who will not be forced to confirm)

Natrium
+2  A: 

Obviously you need to identify the user so he can only vote once. But identify the user does'nt mean you have to pop up a login screen. As said above you can ask for the email address, ans use it as an identfier.

No one mention the way stackoverflow works, if the user has something to win (here reptutation) when becoming a register user and if the login process is as simple as giving an email address, then that's a win-win situation in wich the user is happy to login and vote, and you're happy to have him registered and voting things (and only once per question).

Jeff Atwood wrote an article about the "login barrier", wich may give you clues.

MarmouCorp
+1  A: 

I once created a voting system for a contest. I was restricted from limiting votes by IP due to the fact that multiple people would be legitimately voting from the same IPs. As such, I went with the email confirmation method, requiring each voter to input an email address which a confirmation link was sent to, which, once clicked, would activate their vote and prevent additional votes using that address.

It did not work well. People created hundreds of false email addresses on various free sites.

What did work in the runoff vote, somewhat surprisingly, was adding the email address/vote pairs to a database but not immediately sending the confirmation emails out. Instead, I had a cron job send the batch of them every 15 minutes or so. This adds an additional complication for people registering many addresses, as they have to either leave them all open or remember the login info for each of them at some point in the future.

Of course, still easily bypassed for someone motivated enough, but it seemed to work well in this case.

Jonathan Patt