Implementing a voting system without requiring registration

views:

480

answers:

+7 Q:

Implementing a voting system without requiring registration

Hey everyone,

I'd like to implement a voting system on my site, without having to force them to create an account. They would ultimately be voting up/down a piece of content which has a unique ID.

I know that I could store entries in a table with IP/ID, but what if there are more than one user coming from the same IP?
Is there a way to uniquely identify visitors without it being tied to their external ip?
If created a GUID, store it in a cookie on that machine, could it be retrieved later on that same computer with the same IP? A different IP?

Any thoughts on these questions, or any insight to a better approach would be greatly appreciated.

Thank you,

+2 A:

It is impossible in principle for you, using a cookie, to distinguish between a visitor who has never visited and a visitor who has visited but deleted the cookie. Consequently, any cookie-based solution will be vulnerable to trivial vote fraud.

Consider embracing this reality in the spirit of J Henry Lowengard, who, when he setup the top 100 site on WFMU back in the mid-1990s, provided a button on the "your vote has been counted" page labeled "Go Back and Vote Some More!"

In fact, go there now and vote for (or against) StackOverflow!

Thomas L Holaday 2009-06-10 22:01:30

+2 A:

You could allow them to login using OpenId, this would allow them to use an existing account to vote and they wouldnt have to create a new account.

Google and Yahoo and others have services to allow you to authenticate users.

If you dont authenticate users in some way, the voting system would me open to abuse.

Joe Sankey 2009-06-10 22:01:52

It will be open to abuse, period. The number of OpenId accounts one can have is not limited. It's actually fairly simple to become an OpenId provider yourself an generate an infinite number of OpenId accounts with very little effort.

Michael Borgwardt 2009-06-10 22:19:05

+11 A:

Yes, you could use a cookie and set the expiration very far into the future; however, there is nothing stopping anyone from clearing their cache and voting again.

Your best bet, is to use the cookie and don't allow votes from the same IP within 15 minutes of each other... without registration thats the best you can do.

Nate Bross 2009-06-10 22:02:13

I think I will implement something like this - or a maximum amount of votes on unique peices of content per day.Thanks for your input,

barfoon 2009-06-11 13:29:29

there are many users coming from the same IP (AOL for example) and most people still use IE so storing browser related info will not help. There's also a number of people that don't allow cookies to be saved (not a large amount). It sounds like the voting isn't so rigid, so I would suggest creating a random value that you store in the cookie and DB to uniquely (to the extent you can) identify someone

meade 2009-06-11 20:49:59

That is simply not true; each AOL customer will have their own IP address, until they disconenct and are assigned a new IP address. It is unlikely that a user will get an AOL IP address, vote on this website, disconnect and have another user connect to AOL get that same IP address and try to vote on this site. -- as I said in my post without registration, that is the best you can do. Its not fool-proof but it will prevent extreme abuse.

Nate Bross 2009-06-11 21:32:08

The only time that many users will have the same IP address is when there is NAT involved. This is likely at a place of business, a coffee shop, or even if someone has many computers in their house. And in these situations its unlikely that two people will be on this website trying to up/down vote the same piece of content.

Nate Bross 2009-06-11 21:33:19

+5 A:

You could identify users based on more than just their IP. For example you could include the IP + the entire request header information (such as Browser, Version Numbers, Capabilities) and hash that. That will more or less uniquely identify your user (not 100% though, unfortunately.)

Alex 2009-06-10 22:03:44

If someone were probing a way to game the system they'd probably try changing their browser string pretty quickly.

Hardwareguy 2009-06-22 15:41:07

The problem with hashing everything together is you're losing data. It's reasonable to say that all of that data is probably unique, but you actually give the malicious user an advantage since as Hardwareguy points out, they can change just one item and appear to be a completely different user. Instead, I think it's better to track a few different theoretically unique items, and if /any/ of them showed up already, deny.

dimo414 2009-06-29 08:02:43

Most spoofing I've seen was only on one header: User-Agent. Most browsers send other headers as well - Accept, Accept-Language, etc. If you see several requests from the same IP with one header changing and others remaining the same (or all changing at once, possibly to strange values like `Accept-Language: x-piglatin`), you probably have a spoofer.

Piskvor 2010-06-09 09:14:27

+1 A:

The IP + user agent is a lot more unique than IP; not sure whether it's adequate for your purposes. If you send them a cookie, it will get returned by that computer (if they're using the same browser) as long as the cookie stays around, regardless of IP, but note that the user can get rid of the cookie whenever they want.

If you're concerned at all about using this system to prevent vote fraud, I do not believe you are not going to be able to get around making them have an account.

chaos 2009-06-10 22:03:49

ansaurus

tags:

views:

answers:

Implementing a voting system without requiring registration

related questions