We have website with articles users can vote for. What is the recommended method of limiting votes?
There are so many sites that have voting implemented that I know some possible solutions but I guess that is some basic bulletproof recommended method based on sessions, IPs, time limit, etc.
What is the best way to send votes from browser? Basic GET/POST or AJAX request? Is it necessary to use some pregenerated request-id?
Update: We cannot use user registration.
Similar question here:
http://stackoverflow.com/questions/572723/stopping-users-voting-multiple-times-on-a-website
The best way of preventing duplicate posts is having only signed in users vote. That way you can store their vote in some data storage (DB).
If you want to allow for users to vote anonymously, use the browser session. The downside of this is that they can just close/reopen the browser and revote.
I would not recommend using IP for restricting votes, since many users can be behind a proxy, so it will look like they have the same IP. If one of those users vote, the others could not vote anymore.
This may help for your bulletprof recommendation request : Content Voting Database and Application Design
There's no bulletproof solution unless you require some serious (banking level) authentication. That said, the basic solution is to use sessions (cookies). IP limiting is a very bad idea (for example I'm sharing an IP with about 20 other people).
If you want to allow non authenticated users, then you're sure to have to use captcha to avoid bots. But still i think that the best is to allow vote to authenticated users only. You can make something like, a user younger than 1h/2h can't vote to avoid bots creating accounts and feeding votes.
[...] bulletproof [...]
Limiting by account will help - IP addresses are far to dynamic and easily changeable to be remotely "secure". You then of course have to limit account creation, again, difficult..
Stackoverflow does it quite nicely (there was blog-entry about this recently, "New Question / Answer Rate Limits") - basically have accounts where you have to actively participate for a while before you can vote. Then you are rate-limited (by account) until you've participated for a bit longer. Then the limits are removed, so you don't annoy more active (more trusted) users.
If you just want to prevent causal, "accidental" voting, limit by cookie, and possibly also by IP (bearing in mind more than one user can be behind a single IP).. If you want to try and prevent abuse, require accounts which you can't just click "signup" for (or rather, one you cannot write a "click signup 2000 times"-script for), although this isn't always possible (or practical)