13

I am about to write a voting method for my site. I want a method to stop people voting for the same thing twice. So far my thoughts have been:

  • Drop a cookie once the vote is complete (susceptible to multi browser gaming)
  • Log IP address per vote (this will fail in proxy / corporate environments)
  • Force logins

My site is not account based as such, although it aggregates Twitter data, so there is scope for using Twitter OAuth as a means of identification.

What existing systems exist and how do they do this?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Chris
  • 26,744
  • 48
  • 193
  • 345
  • possible duplicate of [Limit 1 vote per IP Address?](http://stackoverflow.com/questions/1246705/limit-1-vote-per-ip-address) – bzlm Oct 20 '10 at 07:59

7 Answers7

11

The best thing would be to disallow anonymous voting. If the user is forced to log in you can save the userid with each vote and make sure that he/she only votes once.

The cookie approach is very fragile since cookies can be deleted easily. The IP address approach has the shortcoming you yourself describe.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Klaus Byskov Pedersen
  • 117,245
  • 29
  • 183
  • 222
  • Would it be possible for me to use their twitter login as a login to my site? So that as long as they were logged into twitter they could access my site? – Chris Oct 19 '10 at 12:50
  • @Chris, yes. The easiest way would probably be to use a third party SSO provider such as http://www.janrain.com/ – Klaus Byskov Pedersen Oct 19 '10 at 12:52
  • 1
    Not always deleted easily. http://stackoverflow.com/questions/3968328/best-method-to-prevent-gaming-with-anonymous-voting/3968666#3968666 – bzlm Oct 19 '10 at 13:11
3

One step towards a user auth system but not all of the complications:

Get the user to enter their email address and confirm their vote, you would not eradicate gaming but you would make it harder for gamers to register another email address and then vote etc.

Might be worth the extra step.

Let us know what you end up going for.

Question Mark
  • 3,557
  • 1
  • 25
  • 30
  • This would't work so well. I have my own domain. I can have any email I want within it. Another example: if your email is myuser@gmail.com, you could use "myuser+1@gmail.com" myuser+2@gmail.com, etc (text after the + is ignored and it is delivered to your account). You can also include dots in your username. (This only works on gmail addresses!) – Pedro Loureiro Jan 25 '11 at 11:01
3

If you want to go with cookies after all, use an evercookie.

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Multi-browser cheating won't be affected, of course.

bzlm
  • 9,626
  • 6
  • 65
  • 92
  • 1
    Be warned: if you visit the evercookie site it will (attempt to) put an evercookie on your browser. The Comments on a recent Bruce Schneier post contains an interesting discussion of the site: http://www.schneier.com/blog/archives/2010/09/evercookies.html – APC Oct 19 '10 at 13:33
  • @APC Why does that warrant a warning? I think most sites, when visited, attempt to put a cookie on my browser. :) – bzlm Oct 19 '10 at 13:40
  • The point about evercookies is that the software will try to put one of its uber-cookies on you even if you have set your browser to not accept third-party cookies. Of course, imost people really don't care. But some people get quite aerated on the topic. – APC Oct 19 '10 at 14:09
  • @APC Some users... and the European Union. :) http://blogs.wsj.com/digits/2009/11/11/europe-approves-new-cookie-law/ – bzlm Oct 19 '10 at 17:06
  • + for linking to evercookie site. Good revision of everything that should be regurarly cleaned to keep privacy. – Danubian Sailor Jan 25 '11 at 10:48
3

What type of gaming do you want to protect yourself against? Someone creating a couple of bots and bombing you with thousands (millions) of requests? Or someone with no better things to do and try to make 10-20 votes?

Yes, I know: both - but which one is your main concern in here?

Using CAPTCHA together with email based voting (send a link to the email to validate the vote) might work well against bots. But a human can more or less easily exploit the email system (as I comment in one answer and post here again)

I own a custom domain and I can have any email I want within it.

Another example: if your email is myuser*@gmail.com*, you could use "myuser+1@gmail.com" myuser+2@gmail.com, etc (the plus sign and the text after it are ignored and it is delivered to your account). You can also include dots in your username (my.user@gmail.com). (This only works on gmail addresses!)

To protect against humans, I don't know ever-cookie but it might be a good choice. Using OAuth integrated with twitter, FB and other networks might also work well.

Also, remember: requiring emails for someone to vote will scare many people off! You will get many less votes!

Another option is to limit the number of votes your system accepts from each ip per minute (or hour or anything else). To protect against distributed attacks, limit the total number of votes your system accepts within a timeframe.

Pedro Loureiro
  • 11,436
  • 2
  • 31
  • 37
1

Different approach, just to provide an alternative:

Assuming most people know how to behave or just can't be bothered to misbehave, just retroactively clean the votes. This would also keep voting unobtrusive for the voters.

So, set cookies, log every vote and afterwards (or on a time interval?) go through the results and remove duplicates based on the cookie values, IP/UserAgent combinations etc.

I'd assume that not actively blocking multiple votes from same person keeps the usage of highly technical circumvention methods to a minimum and the results are easy to clean.

As a down side, you can't probably show the actual vote counts live on the user interface, or eyebrows will be raised when bunch of votes just happen to go missing.

nnevala
  • 5,779
  • 2
  • 20
  • 13
1

Although I probably wouldn't do this myself, but look at these cookies, they are pretty hard to get rid of:

http://samy.pl/evercookie/

A different way that I had to approach this problem and fight voting fraud, was to require an email address, then a person could still vote, but the votes wouldn't count until they clicked on a link in the email. This was easier than full on registration, but was still very effective in eliminating most of the fraudulent votes.

Andre
  • 603
  • 7
  • 19
  • Someone suggested the e-mail thing as well. :) http://stackoverflow.com/questions/3968328/best-method-to-prevent-gaming-with-anonymous-voting/3968430#3968430 – bzlm Oct 19 '10 at 17:07
1

If you don't want force users to log, consider this evercookie, but force java script to enable logging!

This evercookie is trivial to block because it is java script based. The attacker would not likely use browser, with curl he could generate tousends of requests. Hovewer such tools have usually poor javascript support.

Mail is even easier to cheat. When you run your own server, you can accept all email addresses, so you will have practically unlimited pool of addresses to use.

FolksLord
  • 992
  • 2
  • 9
  • 17