[SOLVED] Visitor Voting System - Can only vote once - (W/ No Login)

[Steve Jabs]

So here is my dilemma.  I am building a photo gallery system for a client in which visitors upload their photos to the system and these photos are inserted into a gallery that all visitors are able to see and vote on.  But because visitors upload these photos for a contest they didn't want to force users to have to log in to upload or vote.  They also only want visitors to be able to vote for one photo during a given time period (whether it be 24hrs or whatever).

 

The problem I have is that I cannot for the life of me figure out a bullet-resistant way of accomplishing this through just cookies and storing their ip in the database.  Because, a.) if the visitor is remotely web savvy they could just delete the cookie and vote again.  Also b.), if there are a group of visitors in a company visit the site to vote on photos they are likely behind a firewall and would all produce the same ip.  This would only let the first visitor vote and lock out the rest.

 

So I'm basically looking for some guiding light here.  I don't really need code... just a few fresh ideas of how I can accomplish this.

 

Thanks guys!  Long time board reader just never needed to sign up.

 

[ober]

I can't personally think of another way to go about it than using cookies.  IPs are out for the reasons you stated.  You can't store it in sessions and there really is no unique identifier beyond that.  Chances are that even the web-savvy people aren't going to go to the bother of deleting the cookie just to vote again.  Even if they did, that would be a pain to repeat.

 

If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span.  That would be annoying enough to deter people from deleting and voting again right away.  You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off.

 

Sorry, but I can't think of another way to do it.

[phil88]

I think you need to aim for something less than bullet proof on this one. It's practically impossible to uniquely identify not just individual computers, but individual people on the internet - even with a login system.

 

You could use HTTP_X_FORWARDED_FOR to get the LAN IPs through proxy servers to combat the problem of more than 1 machine accessing the site through the same internet connection - but that won't necessarily work as some proxies could block it, and even if it does work, more than 1 person might use the same machine in a day.

 

What I think you need to do is analyse who are the end users of the system. Are they likely to be web savvy? Are they likely to be accessing the site from work? If not, simply setting a cookie or recording the IP is most likely going to be enough. If they are web savvy, it won't be enough. It's easy to change your IP or delete a cookie. If they are web savvy or access to the site from the same IP address is quite likely, maybe a login system would be more appropriate.

[Steve Jabs]

I think you need to aim for something less than bullet proof on this one. It's practically impossible to uniquely identify not just individual computers, but individual people on the internet - even with a login system.

 

You could use HTTP_X_FORWARDED_FOR to get the LAN IPs through proxy servers to combat the problem of more than 1 machine accessing the site through the same internet connection - but that won't necessarily work as some proxies could block it, and even if it does work, more than 1 person might use the same machine in a day.

 

What I think you need to do is analyse who are the end users of the system. Are they likely to be web savvy? Are they likely to be accessing the site from work? If not, simply setting a cookie or recording the IP is most likely going to be enough. If they are web savvy, it won't be enough. It's easy to change your IP or delete a cookie. If they are web savvy or access to the site from the same IP address is quite likely, maybe a login system would be more appropriate.

 

Sadly the login system is not allowed to be implemented.  Trust me.  I basically begged and pleaded for it.  And no, they aren't necessarily going to be web savvy, but since prizes are being given away on a montly basis for the top voted photo we are pretty much legally obligated to make it as secure as possibly...... just without a user login.

 

I know, it's stupid, but thems be the breaks sadly.

 

Thanks a ton, I'm going to give this a whirl.

[Steve Jabs]

If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span.  That would be annoying enough to deter people from deleting and voting again right away.  You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off.

 

That is actually a fantastic idea.  Definitely going to do this if the HTTP_X_FORWARDED_FOR method doesn't pan out.

[Steve Jabs]

If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span.  That would be annoying enough to deter people from deleting and voting again right away.  You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off.

 

That is actually a fantastic idea.  Definitely going to do this if the HTTP_X_FORWARDED_FOR method doesn't pan out.

 

HTTP_X_FORWARDED_FOR didn't really work out.  It was hit or miss in the tests I ran.  So I go the client to budge a bit and we are just doing a cookie/captcha routine with a bit of timeout between votes. 

 

Thanks guys for your help!