8

What I really want is to limit 1 vote per person but the next best thing i can think of is limit 1 vote per IP address to prevent malicious users/hackers from severely tempering with my company's voting system. I was thinking of using a database to keep track of the IP addresses.

Update: Sorry about not being clear in the first time aruond. What i wanted to know if limiting 1 vote per IP address was a good strategy to limiting 1 vote per person. Basically, i wanted to know if 1 unique IP address is roughly equal to 1 person. People have already mentioned that proxies and routers re-use ip addresses so unfortunately, many people can be using the same ip address.

Thanks. I think, for my case, it'll be best to NOT limit 1 vote per ip address.

burnt1ce
  • 14,387
  • 33
  • 102
  • 162

7 Answers7

21

I would suggest not going with the IP approach. When I looked at this before some of your large ISPs reuse IPs a lot (AOL...), but if you do use IP addresses, use a database to track them. A fast way to do it is to make it a unique key and to catch the exception as "already voted".

One good thing to add is not to show a user that their vote was not counted, just show the results, or thank them for voting. By not giving that specific error, it is harder and sometimes not even noticed by your problem users.

RiddlerDev
  • 7,370
  • 5
  • 46
  • 62
  • 2
    another thing I have found to work good... add an increasing timer delay for the user if they have a cookie. Sure they could delete it, but again, not showing that you are actually doing anything, and just slowly taking longer to vote every time will slow down voting scripts to the point they are not really working. (You could do same with IP Addresses). NOTE: This is also a good technique for username/passwords rather than locking accounts. – RiddlerDev Aug 07 '09 at 20:04
  • I don’t auto think voting scripts will be programed even post the cookie data. Other then javascript (within a browser), I haven’t seen any language that does this by default. ruby, php, python all seem to make you add the cookie header to a request manually. – complistic Mar 05 '13 at 04:57
12

If you use IP addresses then you'll be limiting most companies to only one vote because they route all outbound internet traffic through a firewall or proxy server. We did this a couple of years ago and found that all AOL traffic came from only 5 ip addresses.

David
  • 34,223
  • 3
  • 62
  • 80
4

Generally, yes, what you would do is have a database table for the votes, and simply store choice+ip address - then when inserting, do a DB query to see if an entry already exists with the given IP.

The ideal solution would be to tie votes to user accounts which are in turn linked to more concrete presence (such as a credit card, cell phone, or other less-easily-multiplied identity source).

What exactly is the question you're asking?

Amber
  • 507,862
  • 82
  • 626
  • 550
2

The way I have always done it is to concat the user agent and ip address into an MD5 hash (in some cases this will allow people from the same IP to vote, long as they are using different browsers), and store that as a "fingerprint" for the vote the the database and add a unique key to it. As IPX Ares said, from there you can catch the duplicate key exception, and you should be good.

If you wanted to allow people to vote once a day, you could also append the Ymd to that "fingerprint", or other variations to allow x amount an hour or x amount per day.

Dan Bair
  • 23
  • 6
  • 1
    This improves things a bit, but still does not address the problem with corporate users well enough. In a company, it is likely that many people will have the same user agent and be behind a firewall which shows as one IP address. – Krystian Cybulski Sep 06 '12 at 14:37
1

Yes, use database. Don't rely on cookies, they can be easily deleted.
IMO, so far, IP based voiting limitation is the best option.

Andrejs Cainikovs
  • 27,428
  • 2
  • 75
  • 95
  • -1 for the IP-based blocking: unfortunately there is a very non-trivial amount of sites on the Internet that have many users behind a single IP. – Andrew Y Aug 07 '09 at 20:37
  • Yes, but the only working way if you want suppress voting cheating. – Andrejs Cainikovs Aug 07 '09 at 20:42
  • @AndrejsCainikovs: In all the cases we had IP address as a supplementary option, the cheaters always had an inexhaustible supply of them to use. So - it might help against my kid brother. That's not bad; but keep in mind it's just a stopgap measure against low-hanging fruit, not a complete solution. – Piskvor left the building Oct 13 '14 at 12:16
0

IP address has its limitations as we have noted from above, but there are many other characteristics a browser has which can damper mischeivious voters. BrowserID, for example, is different for just about every browser. You could use a combination of BrowserID and IP address to create a unique ID.

0

Another way to 'help' avoid cheating is to provide a 1 time use hash into the form then check if that's is valid before you count the vote.

For example:

When you create the voting form you make a random hash and store it in the database and put it in the form as a hidden field. (might want to add a date field to the hash database to you can clean up the unused hashes)

Then when you get a vote POST request you can check if the supplied hash is in the database and remove it from the database so it cant be used again.

CONS:
Might load the database with high IO if the voting page has high traffic.
Can't cache the page as plan html so it puts more stress on the web app.

complistic
  • 2,610
  • 1
  • 29
  • 37