Steve Jabs Posted April 7, 2009 Share Posted April 7, 2009 So here is my dilemma. I am building a photo gallery system for a client in which visitors upload their photos to the system and these photos are inserted into a gallery that all visitors are able to see and vote on. But because visitors upload these photos for a contest they didn't want to force users to have to log in to upload or vote. They also only want visitors to be able to vote for one photo during a given time period (whether it be 24hrs or whatever). The problem I have is that I cannot for the life of me figure out a bullet-resistant way of accomplishing this through just cookies and storing their ip in the database. Because, a.) if the visitor is remotely web savvy they could just delete the cookie and vote again. Also b.), if there are a group of visitors in a company visit the site to vote on photos they are likely behind a firewall and would all produce the same ip. This would only let the first visitor vote and lock out the rest. So I'm basically looking for some guiding light here. I don't really need code... just a few fresh ideas of how I can accomplish this. Thanks guys! Long time board reader just never needed to sign up. Quote Link to comment Share on other sites More sharing options...
ober Posted April 7, 2009 Share Posted April 7, 2009 I can't personally think of another way to go about it than using cookies. IPs are out for the reasons you stated. You can't store it in sessions and there really is no unique identifier beyond that. Chances are that even the web-savvy people aren't going to go to the bother of deleting the cookie just to vote again. Even if they did, that would be a pain to repeat. If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span. That would be annoying enough to deter people from deleting and voting again right away. You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off. Sorry, but I can't think of another way to do it. Quote Link to comment Share on other sites More sharing options...
phil88 Posted April 7, 2009 Share Posted April 7, 2009 I think you need to aim for something less than bullet proof on this one. It's practically impossible to uniquely identify not just individual computers, but individual people on the internet - even with a login system. You could use HTTP_X_FORWARDED_FOR to get the LAN IPs through proxy servers to combat the problem of more than 1 machine accessing the site through the same internet connection - but that won't necessarily work as some proxies could block it, and even if it does work, more than 1 person might use the same machine in a day. What I think you need to do is analyse who are the end users of the system. Are they likely to be web savvy? Are they likely to be accessing the site from work? If not, simply setting a cookie or recording the IP is most likely going to be enough. If they are web savvy, it won't be enough. It's easy to change your IP or delete a cookie. If they are web savvy or access to the site from the same IP address is quite likely, maybe a login system would be more appropriate. Quote Link to comment Share on other sites More sharing options...
Steve Jabs Posted April 7, 2009 Author Share Posted April 7, 2009 I think you need to aim for something less than bullet proof on this one. It's practically impossible to uniquely identify not just individual computers, but individual people on the internet - even with a login system. You could use HTTP_X_FORWARDED_FOR to get the LAN IPs through proxy servers to combat the problem of more than 1 machine accessing the site through the same internet connection - but that won't necessarily work as some proxies could block it, and even if it does work, more than 1 person might use the same machine in a day. What I think you need to do is analyse who are the end users of the system. Are they likely to be web savvy? Are they likely to be accessing the site from work? If not, simply setting a cookie or recording the IP is most likely going to be enough. If they are web savvy, it won't be enough. It's easy to change your IP or delete a cookie. If they are web savvy or access to the site from the same IP address is quite likely, maybe a login system would be more appropriate. Sadly the login system is not allowed to be implemented. Trust me. I basically begged and pleaded for it. And no, they aren't necessarily going to be web savvy, but since prizes are being given away on a montly basis for the top voted photo we are pretty much legally obligated to make it as secure as possibly...... just without a user login. I know, it's stupid, but thems be the breaks sadly. Thanks a ton, I'm going to give this a whirl. Quote Link to comment Share on other sites More sharing options...
Steve Jabs Posted April 7, 2009 Author Share Posted April 7, 2009 If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span. That would be annoying enough to deter people from deleting and voting again right away. You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off. That is actually a fantastic idea. Definitely going to do this if the HTTP_X_FORWARDED_FOR method doesn't pan out. Quote Link to comment Share on other sites More sharing options...
Steve Jabs Posted April 8, 2009 Author Share Posted April 8, 2009 If you wanted to go one step further, you could put some flood control in place by IP and use the cookie method as well, so no one from the same IP could vote again in less than a 5 or 10 minute span. That would be annoying enough to deter people from deleting and voting again right away. You might catch a few people behind a firewall and piss them off, so it's up to you in terms of trade-off. That is actually a fantastic idea. Definitely going to do this if the HTTP_X_FORWARDED_FOR method doesn't pan out. HTTP_X_FORWARDED_FOR didn't really work out. It was hit or miss in the tests I ran. So I go the client to budge a bit and we are just doing a cookie/captcha routine with a bit of timeout between votes. Thanks guys for your help! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.