Posted by Rik Wasmus on 11/14/07 17:34

On Wed, 14 Nov 2007 07:36:07 +0100, damezumari <jannordgreen@gmail.com>
wrote:

> I have a simple voting page using php and mysql and wonder how I can
> prevent users from voting twice.
>
> Here are three ways:
>
> 1. IP locking or IP locking with a time limit
> The same IP address can not vote twice, or not vote twice within the
> time limit.
>
> 2. Cookies, weak version.
> If the user has cookies turned on they can only vote once. The cookie
> may be stored on the server and last till the browser is closed, or on
> the client and last till the user deletes it.
> If the user has cookies turned off they can vote as many times as they
> like.
>
> 3. Cookies, strong version
> If the user has cookies turned on a cookie (session variable) is
> stored on the server and last till the browser is closed.
> If the user has cookies turned off they are told to turn it on for at
> least the present site.
>
> I exclude any options that uses usernames and/or passwords as that
> would be too cumbersome for most users.
>
> Disadvantages with each method:
>
> 1. Users behind a proxy have the same IP address. This means that if
> one has cast a vote, the others can't or have to wait a certain time
> to do so.
>
> 2. This allows repeated voting too easily.
>
> 3. People may decide not too vote as they do not want to take the time
> to turn cookies on for the present site, or are generally sceptical
> about cookies at all. They may vote again when they reopen the
> browser.
>
> Personally I like best method 3, but post my thoughts here to hear
> your ideas.

As indicated earlier, there's no real way except user authentication (and
even with registration: depending on the mechanism users can register as
many times as they want..). Last time I made something like this, I
applied a mix of all three (and clearly indicated to the client what it
could and couldn't do).

1. IP-check: an IP is saved with the vote, for possible statistical
analysis later on voting habits. There was also a (small) timeout on
IP-address, votes from the same IP had to be at least 2 minutes apart.
Hardly ideal, but it catches some eager cookie deleters/clickers. And yes,
it would block some users sharing the same IP address.
2. The fact a vote was given was stored in a cookie with a lifetime untill
the end of the voting period (x days in the future). Easily deleted, but
remember: not all multiple voters deliberately try to mess up your poll,
some of them just click in every poll they see. The way this is used is
more like an indication wether to serve the voting form or the results so
far to the user (in this case both were displayed at the same location in
the page).
3. A session cookie was required for voting. People voting without a
session just got their vote discarded. My client really didn't care about
possible people not allowing cookies. Unless browser/internet use is
related to the specific poll, people not allowing cookies and people who
do probably don't vote different enough to make a fuss about it. In an
open poll on internet you're not interested in individuals, it's 'a small
indication of probable averages' at best.

--
Rik Wasmus

[Back to original message]