How to catch the same user with different ip

Question

We have the following example:

A website (web application written in PHP using Apache/MySQL) where you can cast votes on different posts. For instance, I am an user and I post "Anna likes apples".

Every person that accesses the website MUST be able to upvote my post if they like it, but only once (with or without being registered)!
The best method to implement this ( as I've known so far ) was to check the IP of the unregistered user who wants to upvote. But what do you do when the user changes his IP?

How can we check if the user has or has not voted before from the same computer, but with a different ip?

@GordonLinoff I need to do this for users who are not registered and DO NOT wish to register. — Razvan M., Sep 24 '15 at 15:15
Do you want to see if the person changed the IP that is a registered user or both unregistered and registered. — PHP Web Dev 101, Sep 24 '15 at 15:19
We have no concern of registered users, those are easily checked. Only unregistered users pose an issue here. They can cast a vote even if they do not register. The point is here, to have only one vote per person, even if they are not registered. — Razvan M., Sep 24 '15 at 15:20
http://stackoverflow.com/questions/2333054/hunting-cheaters-in-a-voting-competition , http://stackoverflow.com/questions/8962562/prevent-double-voting — vidriduch, Sep 24 '15 at 15:22

score 2 · Accepted Answer · edited May 23 '17 at 11:44

2

To identify if a user is really the same you should rely more on the MAC address of his NIC than on his IP address. Here i found a similar question where one proposes a JavaScript to get the remote MAC address.

How can I get the MAC and the IP address of a connected client in PHP?

Be aware that there is no 100% way here. A determined user will find ways. It is up to you to be conservative and not allow suspicious cases.

Maybe you can assign a probability of uniqueness to all the mentionned methods: User session, user-agent of browser, cookies, IP, MAC. The threshold to block should be a business-decision dependending on the severity of the consequences.

edited May 23 '17 at 11:44

Community

1
1

answered Sep 24 '15 at 15:15

KarmaEDV

1,631
16
27

Thank you @KarmaEDV this might be what I was looking for. If there's no better answer in an hour I'll flag this as the most appropriate answer. – Razvan M. Sep 24 '15 at 15:16
I do agree with you and I think this, combined with the cookie check is going to be the best way to deal with double votes. – Razvan M. Sep 24 '15 at 15:30
@MerdescuR. added some thoughts – KarmaEDV Sep 24 '15 at 15:34

score 1 · Answer 2 · answered Sep 24 '15 at 15:17

1

You could use cookies. For example:

setcookie("already_voted","yes");

And later check if that cookie exists:

if( $_COOKIE["already_voted"] == "yes") /* Disallow voting */

The main problem here is that the user can delete the cookies : /

answered Sep 24 '15 at 15:17

Castillo

145
8

This will only work if the window is not in private mode. – PHP Web Dev 101 Sep 24 '15 at 15:18
Yes, I am aware of this approach, but as you mentioned, a user can delete his cookies... and with a user so determined to upvote a post that he changes his IP or looks for a proxy... he will definetely erase cookies. – Razvan M. Sep 24 '15 at 15:19

ajmedway · Answer 3 · 2015-09-24T15:22:59.030

If they are not logging in just use a session variable I suppose... put this at the top of each script:

// set cookie lifetime for 1000 days (60sec * 60mins * 24hours * 1000days)
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 1000);
ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 1000);
// start session
session_start();

And on the page, once they click to vote set:

$_SESSION['votes']['post_id'] = 1;

And in the code template only show the vote button on this condition:

if (empty($_SESSION['votes']['post_id'])) {
    //show voting button html
}

The exact implementation of this will vary depending on how you have structured your code but this is the raw logic in absence of any examples to work from. If they clear out all their browser cache/cookies they could vote again, but there's little you can do to make it bullet-proof if you want it to be guest-compatible.

Look at the comments from @Castillo 's answer. This approach will not work for a determined user. — Razvan M., Sep 24 '15 at 15:22
@MerdescuR. I know this, I was just updating my answer as you made your comment :) — ajmedway, Sep 24 '15 at 15:23

score 0 · Answer 4 · answered Sep 24 '15 at 16:07

If user has registered, you could check the user's vote by storing postID in the user's info. Then when user votes, check whether the postID has been stored before.

If the users who hasn't registered, and one device can only have one vote(without logging on), I think cookie is stored in the device, so you could set a cookie with some specific info(TimeofSetCookie,UnregisterUserName,PATH.....), then use $_COOKIE[...] get cookie and check it.

um....I can only have these two ways....Hope they can help you

I think there will be a problem, different people can use the same IP or same device to vote. Then your website may lose these sorts of votes in this situation. Why don't you just strict only member can vote?

Well, considered I need the users to have voting as a quick action I need voting to be fast(no other steps like registering). And the ip matter can be solved by also checking the mac and putting them one next to the other. — Razvan M., Sep 24 '15 at 16:10

How to catch the same user with different ip

4 Answers4