Posted by Erwin Moller on 11/14/07 09:17

damezumari wrote:
> I have a simple voting page using php and mysql and wonder how I can
> prevent users from voting twice.

Hi Jan,

>
> Here are three ways:
>
> 1. IP locking or IP locking with a time limit
> The same IP address can not vote twice, or not vote twice within the
> time limit.
>

Yes, this works a little.
But, as you describe, this might block fresh users that are behind the
same IP.

Also, this can be circumvented with IP spoofing.

If I send a vote, and fake the returnaddress in the IP package, I can
vote as many times a I like. But this is probably difficult for regular
cheaters.


> 2. Cookies, weak version.
> If the user has cookies turned on they can only vote once. The cookie
> may be stored on the server and last till the browser is closed, or on
> the client and last till the user deletes it.
> If the user has cookies turned off they can vote as many times as they
> like.

Cookie stored on the server?
I guess you mean that you remember some value set in a cookie on the
server and compare.

And yes, this is totally weak. Clearing cookies let you revote.

>
> 3. Cookies, strong version
> If the user has cookies turned on a cookie (session variable) is
> stored on the server and last till the browser is closed.
> If the user has cookies turned off they are told to turn it on for at
> least the present site.

And what protects you against:
1) vote
2) clear cookies
3) vote

????

The fact that you create a session doesn't solve the problem at all.



Bottomline:
You have no safe way of voting like this.
The only reliable way is authenticating a user, and yes, that means a
username/password.

Sorry for the bad news.
Best bet is to go with option 1 I think, but that has the disadvantages
you described already, but is harder to break than with just 'clear
cookies'.


Regards,
Erwin Moller


>
> I exclude any options that uses usernames and/or passwords as that
> would be too cumbersome for most users.
>
> Disadvantages with each method:
>
> 1. Users behind a proxy have the same IP address. This means that if
> one has cast a vote, the others can't or have to wait a certain time
> to do so.
>
> 2. This allows repeated voting too easily.
>
> 3. People may decide not too vote as they do not want to take the time
> to turn cookies on for the present site, or are generally sceptical
> about cookies at all. They may vote again when they reopen the
> browser.
>
> Personally I like best method 3, but post my thoughts here to hear
> your ideas.
>
> Are there other ways than the 3 listed? Which one do you like the
> best? Why?
>
> Regards,
>
> Jan Nordgreen
>

[Back to original message]