I'm building a PHP voting system, and I want to limit the number of votes per user.
So what is the best way to distinguish users on my website?
I can track them by cookies or sessions but this doesn't seem efficient because if a user deletes his cookies he will pass the security test. I know there will not be a 100% solution but I want to follow the best practice here.
Any help?
An option not mentioned here is to use Flash local storage. The downside is that it requires Flash. The upside is that it is quite difficult to clean.
IP address, cookies, and sessions. Try for all three of them.
There's no sure-fire way, but those three used together are the best you've got.
Also, you could try email address verification as that'd throw people off, but it will also greatly decrease the likelihood that a given user will want to vote.
A lot of sites make people register for an account to vote so that their votes can be associated with that id and limited.
Another option is to track IP addresses. While this is not perfect (IP address could be spoofed, people's IP addresses change occasionally, only 1 vote per NAT), it's better than nothing.
A third option is to combine IP address with the user agent string of the browser, which still has some vulnerabilities, but gets closer.
You can get the user's IP address from the environment variable $_SERVER['REMOTE_ADDR']. In theory, each user has a unique IP address. In practice, there are several issues: multiple users on the same internet connection will have the same IP, and IPs get changed and recycled by the service providers, so you would end up with some falsely identified duplicate users. There are also ways of changing your IP, so it's still possible to cheat the system with a little effort.
If what you're working on is a toy application, these aren't serious problems. If this isn't for a toy application, you would almost certainly be better off finding an existing solution instead of trying to make your own. I can't recommend any in particular, but I'm sure that there are plenty out there.
I asked this question which is similar and might provide some insight:
Implementing a voting system without requiring registration
Edit: Sounds like its very similar actually. To give you some perspective, I actually ended up re-writing the base of my code to have votes tied to an authenticated user account because there was no way otherwise to accomplish this with certainty it wasn't going to be taken advantage of.
You can use get_browser and IP address, log them and compare on every voting. You don't need to log all the values from get_browser, you could hash it ( $userData = md5(get_browser(null, true))) and store the hash.
Try the get_browser code bellow:
<?php
$browser = get_browser(null, true);
print_r($browser);
?>
It will return something like this:
Array
(
[browser_name_regex] => ^mozilla/5\.0 (windows; .; windows nt 5\.1; .*rv:.*) gecko/.* firefox/0\.9.*$
[browser_name_pattern] => Mozilla/5.0 (Windows; ?; Windows NT 5.1; *rv:*) Gecko/* */Firefox/0.9*
[parent] => Firefox 0.9
[platform] => WinXP
[browser] => Firefox
[version] => 0.9
[majorver] => 0
[minorver] => 9
[cssversion] => 2
[frames] => 1
[iframes] => 1
[tables] => 1
[cookies] => 1
[backgroundsounds] =>
[vbscript] =>
[javascript] => 1
[javaapplets] => 1
[activexcontrols] =>
[cdf] =>
[aol] =>
[beta] => 1
[win16] =>
[crawler] =>
[stripper] =>
[wap] =>
[netclr] =>
)
