How would you handle this voting script problem?

monkey junkie

Hello

I am writing a script where the public (i.e. web surfers) can vote products up or down.

I want to stop people voting the same product up or down multiple times.

The simple (but slightly restrictive) solution I am considering is as follows -

Every time a product gets voted up or down, the IP of the person who did the voting gets added to that products database entry.

Kind of simple. The problems with this are as follows -

1. In a dynamic IP environment, the user can go offline and back online, and maybe he'll have a new IP, so maybe he can make the same vote again...
   
2. In a dynamic IP environment, it's possible "innocent" people will be blocked from voting.

I could use a cookie combination to solve 1, but for 2 I don't know...

Can any of you think of a better way to deal with this?

I know no solution is probably fool proof, but I'd like to make it as fair and anti-cheat as possible.

Thanks in advance for any help.

damnyanks

Ideally you'd want some sort of registration system making it more difficult to abuse.

monkey junkie

OK, there can't be a registration system...

Perhaps a timer? For example, once you make a vote, that IP is blocked for a week or something like that...

jhegarty

monkey junkie wrote:

OK, there can't be a registration system...

Perhaps a timer? For example, once you make a vote, that IP is blocked for a week or something like that...

but then everyone working for a company (behind the firewall) will get one vote between them....

monkey junkie

Yeah, it's tricky.

However, only being able to vote for that product once per week is better than being able to vote for it continuously.

Anyone else??

Thanks for the replies so far.

Mutant_Fruit

The best option is a combination of the above. If registration is out, then you're screwed really, there's no way to stop people stuffing the ballots.

The best compromise would be to allow up to 5 submissions per IP. However use a cookie to prevent one user using the same computer each time. Maybe also putting a min of a 5 minutes between each vote might be useful.

This would allow multiple people in the same office block to vote without unduly affecting them.

A cooloff period of 24 hours could be used for IPs so that once the limit is reached, you can't vote again for at least 24 hours.

It really depends on how accurate you want this. Nothing will stop people from stuffing the ballots except using registration. All that's left is to figure out how restrictive you want to be.

samelterrance

Hi,

How about using the MAC address rather than the IP address.
Advantages are MAC address is unique where IP address can be the same for different users if behind a proxy. MAC address won't change where IP can.

Disadvantage. Multiple users on one machine can't vote, i.e companies where hot desk swapping happens (this is really really minimal nowadays though)

Gareth37

My solution would be:

1. Always place a cookie on their PC after they vote. If you find the cookie there do not let them vote again.

2. To account for the scenario where someone keeps clearing cookies to vote you could check their IP and only allow each IP one vote per hour.

3. Block proxy IP addresses.

Of course if someone wanted a way around this then they could use dynamic IP addresses, such as dial up, and clear the cookies each time. However, the above makes it more difficult for them to vote more than once. You don't tell them how you know they voted before, you just say that the system detected that that PC has already voted.

The only full proof way is to get their MAC address or PC name although Im not sure you can do this without downloading something onto their PC. Registration by mobile phone would be a way also but I think the method proposed by me at the top will do ya....

Gareth37

samelterrance wrote:

Hi,

How about using the MAC address rather than the IP address.
Advantages are MAC address is unique where IP address can be the same for different users if behind a proxy. MAC address won't change where IP can.

Disadvantage. Multiple users on one machine can't vote, i.e companies where hot desk swapping happens (this is really really minimal nowadays though)

Is it possible to get someone's MAC address using a script such as PhP or PERL?

samelterrance

You can in .NET all right,

just saw this article in PHP
http://www.phpclasses.org/browse/package/1942.html

Gareth37 wrote:

Is it possible to get someone's MAC address using a script such as PhP or PERL?

DublinDilbert

I could be wrong, but i think MAC is only available if the packets are sent over Ethernet.... ie once the Ethernet packets reach a DSL modem they are removed from the Ethernet frame, and the TCP/IP packet is sent down the line by itself...

So if the web server & the people voting are on the same Ethernet you could use MACs, but if it is relayed over a TCP network then this is not an option...

Even though hardware MACs are globally unique they are not relayed all around the internet...I think maybe in the early days this was one of the intentions... but Ethernet is just really used as a point to point link now, which encapsulates TCP packets on LANs.... once it goes onto a different media all that is transfered is the TCP packet no Ethernet header ect...

samelterrance

Hi DubDilbert,

Do you not think it's possible that when a user on the web accesses a page, that there is mac address is posted to a hidden field on the web page ?

DublinDilbert wrote:

I could be wrong, but i think MAC is only available if the packets are sent over Ethernet.... ie once the Ethernet packets reach a DSL modem they are removed from the Ethernet frame, and the TCP/IP packet is sent down the line by itself...

So if the web server & the people voting are on the same Ethernet you could use MACs, but if it is relayed over a TCP network then this is not an option...

Even though hardware MACs are globally unique they are not relayed all around the internet...I think maybe in the early days this was one of the intentions... but Ethernet is just really used as a point to point link now, which encapsulates TCP packets on LANs.... once it goes onto a different media all that is transfered is the TCP packet no Ethernet header ect...

seamus

It should be possible to generate an (almost) unique identifier from someone's IP and other headers sent to the script such as the browser type. Some proxies will also add an "x-forwarded-for" header that contains the internal IP of the machine.

Your main problem with such an identifier is that if people are accessing it from work, it's likely that they all have a standard build of machine, so most of the headers sent by the machines in that company will be identical. For security reasons, many proxies will strip out browser headers, further reducing the information you can get your hands on.

If it's really all that important, you could do an email verify. They stick in their email address, and have to click a link to verify the vote. It doesn't guarantee that people won't do multiple votes, but for the sake of an online poll, most people couldn't be arsed.

Do you not think it's possible that when a user on the web accesses a page, that there is mac address is posted to a hidden field on the web page ?

Not for a public website. The best attempt is to use active X controls to forcibly obtain that information, but that means that it won't work for a quarter of visitors, and of those who are actuall using IE, most probably won't install your active X control.

DublinDilbert

samelterrance wrote:

Hi DubDilbert,

Do you not think it's possible that when a user on the web accesses a page, that there is mac address is posted to a hidden field on the web page ?

Hi,

It might be possible to write a Java Applet to figure out the MAC address, I'm not sure if the JVM would allow an applet to do this or not...

The biggest problem i can see with using MAC addresses is (just thought of this), that not everyone will have one! if they aren't connected to the internet via an Ethernet/LAN, they will not have a MAC... so anyone with a modem won't have a MAC...

Ummmm back to the drawing board...

marco_polo

Off topic but I can't resist . OP is your name Martin Cullen by any chance?

Gareth37

marco_polo wrote:

Off topic but I can't resist . OP is your name Martin Cullen by any chance?

No it cannot be him. He seems way too intelligent.