1

I'm creating a website and I'm trying to implement a feature to prevent multivoting. The way I have it implemented at the moment seems to work to an extent, but it seems user IPv6 IP addresses change every day allowing another vote on another day per user.

Here's how I'm currently logging IPs.

This is how I'm grabbing the user IP in PHP:

$user_ip = getenv('HTTP_CLIENT_IP')?:
getenv('HTTP_X_FORWARDED_FOR')?:
getenv('HTTP_X_FORWARDED')?:
getenv('HTTP_FORWARDED_FOR')?:
getenv('HTTP_FORWARDED')?:
getenv('REMOTE_ADDR');

And here is how I'm logging each vote in the database:

$check_if_vote = mysqli_query($con, "SELECT * FROM voting_log WHERE voter_ip = '".$user_ip."' AND voted_user = '".$search."'");

if(mysqli_num_rows($check_if_voted) <= 0) {
    mysqli_query($con, "INSERT INTO voting_log (voter_ip, voted_user, votetype) VALUES ('".$user_ip."', '".$search."', 0);");
} else {
   echo "You have already voted for this user";
}

Is there a way to track IPv4 IP's only, as these don't seem to ever change?

mkrieger1
  • 19,194
  • 5
  • 54
  • 65
mewi
  • 342
  • 1
  • 3
  • 12
  • IPv6 can [sometimes](https://stackoverflow.com/questions/2786632/how-can-i-convert-ipv6-address-to-ipv4-address) be mapped back to IPv4 addresses, but how will you catch multiple distinct users behind the same router (= same IPv4 address)? Or, for that matter, the same user using two devices (home PC and office PC)? – rickdenhaan Feb 20 '19 at 23:26
  • In the unique case of my website this will not be a problem. One vote per household would be reasonable for my site's purpose. – mewi Feb 20 '19 at 23:27
  • Ah, okay. Your website doesn't have control over whether your visitor's computer sends an IPv6 or IPv4 address to your website. If you want to use the IP address, the best you can do is try to map IPv6 back to IPv4. Maybe assume an "already voted" state if that's not possible? – rickdenhaan Feb 20 '19 at 23:29
  • IP !=person, one IP multiple people, one person multiple IP. This approach never works. as to the IP converting, you cant there are more IPV6 address than 4. –  Feb 20 '19 at 23:36
  • 1
    Make the user register and confirm an email address before voting. Otherwise anyone with even the slightest amount of technical knowhow will be able to vote as many times as they want. – Sammitch Feb 21 '19 at 01:07
  • Most providers assign huge chunks (usually /64, which translates to 18446744073709551616 ips) of ipv6 ranges to their customers. A malicious user could utilize all of these to vote on your site, and the issue here is that it's very difficult to figure out how big ranges each provider assign to their users (especially since this can change even within the same provider). – Matyas Koszik Feb 21 '19 at 01:30
  • I may take the route of requiring an account. Logging the account and an IP would definitely make things harder to multivote. – mewi Feb 22 '19 at 16:24

1 Answers1

1

If you feel comfortable to add a bit of javascript into the mix, consider adding some code to the frontend of your site that fingerprints the client. Send it along with the request and if you are dealing with an IPv6, rely on the fingerprint instead.

This question has multiple great answers that go into detail on how to achieve this.

It's still not fool proof, but the chances of running into a user that has both an IPv6 and is savy enough to circumvent your chosen approach of unique identification on the client-side might be low enough to be acceptable in your case.

PitchBlackCat
  • 545
  • 2
  • 10
  • Thank you for your response this is very helpful. Apologies for my ignorance here as I didn't read deeply into it yet. Wouldn't this fingerprint change per user every time they add a plugin or something, thus requiring that your store their fingerprint with their IPv6 IP addrss which leads us to the same problem. Perhaps there is a formula that compares similarities to each logged fingerprint and if it's similar enough it is classified as that fingerprint? – mewi Feb 21 '19 at 16:17
  • I think your assumption is correct. As far as I know there is no fool proof way to fingerprint the users client. I'd just try to make it as hard as possible to dissuade the user from trying to hard. I'm curuious, what's the use-case of your voting system? – PitchBlackCat Feb 21 '19 at 22:15
  • It is meant to allow users to vote on whether or not they recommend other users. It is based from a video game. – mewi Feb 22 '19 at 16:22