tags:

views:

1371

answers:

8
Q: 

Limit 1 vote per IP Address?

What I really want is to limit 1 vote per person but the next best thing i can think of is limit 1 vote per IP address to prevent malicious users/hackers from severely tempering with my company's voting system. I was thinking of using a database to keep track of the IP addresses.

Update: Sorry about not being clear in the first time aruond. What i wanted to know if limiting 1 vote per IP address was a good strategy to limiting 1 vote per person. Basically, i wanted to know if 1 unique IP address is roughly equal to 1 person. People have already mentioned that proxies and routers re-use ip addresses so unfortunately, many people can be using the same ip address.

Thanks. I think, for my case, it'll be best to NOT limit 1 vote per ip address.

+1  A: 

Yes, use database. Don't rely on cookies, they can be easily deleted.
IMO, so far, IP based voiting limitation is the best option.

Andrejs Cainikovs  2009-08-07 19:56:56
-1 for the IP-based blocking: unfortunately there is a very non-trivial amount of sites on the Internet that have many users behind a single IP.
Andrew Y  2009-08-07 20:37:34
Yes, but the only working way if you want suppress voting cheating.
Andrejs Cainikovs  2009-08-07 20:42:53
+3  A: 

Generally, yes, what you would do is have a database table for the votes, and simply store choice+ip address - then when inserting, do a DB query to see if an entry already exists with the given IP.

The ideal solution would be to tie votes to user accounts which are in turn linked to more concrete presence (such as a credit card, cell phone, or other less-easily-multiplied identity source).

What exactly is the question you're asking?

Amber  2009-08-07 19:57:24
+11  A: 

If you use IP addresses then you'll be limiting most companies to only one vote because they route all outbound internet traffic through a firewall or proxy server. We did this a couple of years ago and found that all AOL traffic came from only 5 ip addresses.

David  2009-08-07 19:59:13
You had problems with AOL as well eh?
IPX Ares  2009-08-07 20:00:43
+9  A: 

I would suggest not going with the IP approach. When I looked at this before some of your large ISPs reuse IPs a lot (AOL...), but if you do use IP addresses, use a database to track them. A fast way to do it is to make it a unique key and to catch the exception as "already voted".

One good thing to add is not to show a user that their vote was not counted, just show the results, or thank them for voting. By not giving that specific error, it is harder and sometimes not even noticed by your problem users.

IPX Ares  2009-08-07 20:00:08
another thing I have found to work good... add an increasing timer delay for the user if they have a cookie. Sure they could delete it, but again, not showing that you are actually doing anything, and just slowly taking longer to vote every time will slow down voting scripts to the point they are not really working. (You could do same with IP Addresses).NOTE: This is also a good technique for username/passwords rather than locking accounts.
IPX Ares  2009-08-07 20:04:38
A: 

IP addresses can be spoofed too. Since the malicious voter doesn't actually need the reply packet, he could generate vote requests with random IP addresses.

Still, IP address limits are probably good enough for most purposes.

Eric J.  2009-08-07 20:00:29
You'd have trouble establishing a TCP connection with that technique. Without it, you can't send the request at all.
Thorarin  2009-08-07 20:53:14
A: 

This is a product related decision and the product's description has to be taken into consideration when deciding on what elements should be checked for avoiding duplicate votes.

Saggi Malachi  2009-08-07 20:02:30
A: 

IP address has its limitations as we have noted from above, but there are many other characteristics a browser has which can damper mischeivious voters. BrowserID, for example, is different for just about every browser. You could use a combination of BrowserID and IP address to create a unique ID.

 2009-08-12 20:01:30
+2  A: 

The way I have always done it is to concat the user agent and ip address into an MD5 hash (in some cases this will allow people from the same IP to vote, long as they are using different browsers), and store that as a "fingerprint" for the vote the the database and add a unique key to it. As IPX Ares said, from there you can catch the duplicate key exception, and you should be good.

If you wanted to allow people to vote once a day, you could also append the Ymd to that "fingerprint", or other variations to allow x amount an hour or x amount per day.

Dan Bair  2009-08-27 16:37:45

related questions

Windows packet sniffer that can capture loopback traffic?
Sockets and Processes in Java
Getting the Hostname or IP in Ruby on Rails
How do I measure bytes in/out of an IP port used for .NET remoting?
How do I read and write raw ip packets from java on a mac?
Tool for degrading my network connection?
How do you find out which NIC is connected to the internet?
How do you parse an IP address string in C#?
Spread vs MPI vs zeromq?
How do you get the ethernet address using Java?
Leaving your harddrive shared
Should a wireless network be open?
Wifi Management on XP (SP2/SP3)
Broadcast like UDP with the reliability of TCP
Default Routes
Optimizing for low bandwidth
What workshops / user groups / conventions do you attend?
Why is Peer-to-Peer programming a hard topic to obtain good research for?
Boundary Tests For a Networked App
Remoting server auto-discovery. Broadcast or not?
How do I interpret 'netstat -a' output
Default Internet connection on Dual LAN Workstation
Objective-C/Cocoa: How do I accept a bad server certificate?
Easiest way to provide VPN access easily for all client OSes?
How to setup Quality of Service?