2

I'm making a website (using PHP, JavaScript and MySQL) with a voting system which allows people to vote anonymously but just only once.

It means that my system have to know who voted (because I have to check if the user already voted or not)but I didn't want to store the user name or the user's IP address in the database (ruin the anonymity). I don't know how to get started, I need some guidelines; what should I look for?

halfer
  • 19,824
  • 17
  • 99
  • 186
Bakayaro
  • 120
  • 8
  • 3
    If you are not authenticating every vote then you won't be able to secure it at all. You could possibly store some cookies on the client side but anyone can just clear those and bring you back to square one. – Lix Feb 25 '14 at 13:44
  • 2
    and even IP address can be changed. I have a dynamic IP allotted to me by my ISP which changes every time I reboot my router. I once helped my niece win a competition by voting multiple times by simply rebooting my router via a batch script and fiddler. – DhruvJoshi Feb 25 '14 at 13:47
  • 1
    @DhruvJoshi - Ah HA! So you **confess!** I thought something was fishy with that competition! ;) – Lix Feb 25 '14 at 13:50

2 Answers2

5

Your worst problem is how to make sure your users only vote once, but that's not the point of the question: you are asking how to ensure anonimity

That is rather easy: treat the whatever you use for single-voting as a password, and hash it. So lets say for argument's sake you are using the IP. I'm aware of the problems with that, but lets assume this is your choice.

  • User votes
  • You hash the IP and save it.
  • You can even go as far as saving it in a different location. No need to even save what hash voted which option.
  • User votes again -> IP-hash is allready in database.
  • To not give away if someone has already voted, don't reply " you have already voted ", but just don't save the vote. This way there is no way to even know if there was a vote from this machine

Mind you, this is about anonimity, not about how to ensure single-voting.

Nanne
  • 64,065
  • 16
  • 119
  • 163
  • It's true. If you are enforcing single-voting, the system has to be able to *recognize* that a user has already visited. – Lix Feb 25 '14 at 13:57
  • btw, I'm not seeing how you can easily do this with a salted hash, because you have (and should) not have a username-equivalent saved with your password-equivalent. It would be impossible/impractical to check against all salted hashes. Not sure if there's an elegant solution for that. – Nanne Feb 25 '14 at 13:58
  • For IPv4, there are only over 4 billion different addresses. Hashing (even salting them) might not be enough to guarantee anonymity, as a brute-force attack can test for the hashes of all different combinations in not-so-long. If your salt is known (and you have to assume it is, if the user has access to your database), you'll not be able to guarantee anonymity. – Pedro Cordeiro Feb 25 '14 at 14:01
  • I think that this is an instance where the requirement for "anonymity" and "single voting" has to be put up against reality and the actual system that is being built. I do not believe that we are talking about a voting system for a government or anything quite so official. One needs to think realistically when dealing with these types of requirements. You can make it hard to "game the system", but trying to secure it 100% really wouldn't be feasible. – Lix Feb 25 '14 at 14:03
  • @PedroCordeiro Sure, but IP is just an example, all usual caveats of hashing apply. Take something else. Take IP+user-agent for all I care, the point is that you can save something in the database that you can check against, without saving the actual data. This is where hashing that data comes in. I agree it is a fair point you come up with, but I would start worrying about that only after there was a choice of "single voting" mechanism :) – Nanne Feb 25 '14 at 14:04
  • @Nanne, yes, I agree. I'm just saying, OP was enfatic on the anonymity thing, I was just contributing with a fact so he can make an informed decision. Also, IP+User Agent won't guarantee single votes, as the User-Agent can easily be changed (and will be changed by simply using different browsers). Lix, I'm just entertaining one implication. This is a paradox, you can't guarantee you'll only vote once if you don't know who voted already. – Pedro Cordeiro Feb 25 '14 at 14:09
1

As Lix stated, really the only way, without storing IP addresses or forcing users to register, would be to store a Cookie linked to a session, however of course this is by no means a solution, as Cookies can easily be cleared.

You could attempt to use a persistent Cookie solution, such as evercookie, but if I were a user of a site which implemented something like that, it would annoy me more than having to register, and no matter what methods are used, they can always be circumvented to remove the Cookie/identifying information.

Another possibility is another form of persistent Cookies which got a lot of publicity last year (or was it 2012 - I forget), which utilize Flash to store Cookies. These Cookies can be accessed in multiple browsers. One such solution is flash-cookie, but again, this is likely to annoy users, and would not be 100% reliable as not all users have Flash enabled or installed.

Seidr
  • 4,946
  • 3
  • 27
  • 39