I have a web app that requires a user to have an account. This user can then vote 'once' on a specific item. However, some users are signing up for lots of accounts to 'game' the system.
Does anyone have any ideas how you can restrict this type of thing?
Could I restrict number of signups per day per IP address? (what are problems with this?)
Any other suggestions???
You would do yourself one better by restricting the sign-ups to just a single IP address per user. This may not be good if you plan on having families all living under the same roof to have their own accounts, but in most cases this is practical.
Yes, restricting signups per IP is reasonable. I'd probably go with signups per rolling time period (say, a maximum of one new account in any one-hour period per IP). You might also flag suspicious signups (say, more than five per day per IP) for later followup.
You might also restrict users from voting until they've passed some hurdle, similar to SO's reputation system. Prevent poll voting until they've been a user for a week, have posted at least twice, have one friend request, etc.
I remember when I ran a online RPG I flagged when more than 5 or so accounts logged in with the same IP in the same day.
One potential problem is if your users are behind a NAT such as a home router, ISP proxy, or corporate firewall. You will see the same IP for all of them.
Instead of blocking people I would simply record their IPs, create a report of duplicate IPs that you can run periodically to investigate suspicious activity.
In addition you can take a social approach, post the user's IP somewhere. This will provide a gentle warning and disincentive to people who fake accounts, as well as allow your community of users to potentially identify fakers.
People mention the NAT issue. Read the header x-forwarded-for and compare that to the standard ip address.
If x-forwarded-for is present use this value. Most properly configured NAT routers will populate this field. The only ones that do not are typically anonymous proxies.
If you really are worried about people gaming the system, using a flash bit that uses sockets to connect, and provide say, session id, to the socket listener. You can then compare that with the ip address and x-forwarded for. If it does not match, they are behind an anonymous proxy. You could feel safe to not allow them to create accounts.
This works because most anonymous proxies out there aren't full Socks proxies where all network traffic goes through it, just HTTP. This worked very well for me in the past where we had a contest with voting and folks were using anonymous proxies to game the system.
Instead of limiting by account, you could set up limitations by email address. If users need to provide their email address, you already create one hurdle for them. Make sure they have to respond to a confirmation email to make sure the email address is real. Also keep track of email address and IP address, marking any count as suspicious where a single IP address has e.g. 5 or more email addresses. (In which case you could check those addresses to see if they are somehow related, like all from the same domain or similar names.) Sure, people can create dozens of email addresses using GMail or Hotmail or even if they have their own private domain. But for many people this is already a bit too much. Basically, if you see 5 email addresses from gmail.com with the same IP address, it's suspicious.
I would recommend implementing a different authentication mechanism such as OpenID, or are Alex said, force the users to specify a valid email and send them confirmation links via email before accounts get created.
My preference is OpenID for sure.