Unique Visitor Tracking

[Lytheum]

Hello. Currently, I run a voting site where voters are tracked by their IP address and can only vote once every 12 hours.

 

The system works well, except it can be exploited very easily. Visitor's only need to renew their ip to be allowed to vote again.

 

I have captcha in place to prevent bots from doing this, but if someone were dedicated, they could get a lot of free votes.

 

Does anyone have a better way to track such things? Cookies will not work either. It's easier to get around than an IP. Perhaps I'll have to use a language other than PHP?

 

Thanks for your help.

[crabfinger]

Well, you could have them submit an email address that has to be verified before they can vote.

[Lytheum]

That is definitely an approach that I will keep in mind. It will not completely stop abuse, but it will definitely make it harder to do.

 

Thank you.

 

Anyone else with a solution?

[Eejut]

Yes that's the only way around it from what I've read.. and ideally an email address which is an ISP email addy.. as opposed to hotmail, yahoo mail etc.. that's how some of 'em are doing it out there.  From what I've found out so far there's no way of stopping anyone from using proxy IPs and deleting cookies etc.

[crabfinger]

Unless you could somehow find a way to get the mac address of the users box then you could make it a little bit harder but still everything can be changed.

[Lytheum]

Well one thing I noticed is PHP's built-in function "gethostbyaddr()".

 

This will return the host name of a given IP, which generally (from what I've noticed) doesn't change very much even when an IP changes. So what if I used this function in conjunction with "similar_text()", and if host that is trying to vote has greater than a 75% match with a host that has already voted in the past 12 hours, deny them?

 

Would just like to hear some thoughts.

 

Otherwise, will most likely take Crabfinger & Eujut's approach. (Which will restrict a few people from voting, which pains me)

 

 

P.S. I've googled around to find out how to obtain the mac address, and it seems possible. Although I am sure it is not sent in the browsers HTTP headers, I think there is a work-around. I'll look more into that.

[teamatomic]

Dont bother with MAC addresses. There is a activeX thingy but you need that and the browser must be IE. Anyways all you will get is the MAC of the last router they went through.

 

 

HTH

Teamatomic

[redarrow]

No one should be able to vote unless they register on your web site,even if registering is a name,dob,email address only.

 

This way, the user get's a unique id, and then use that, and not the unreliable, ip address.

[ignace]

@crabfinger, redarrow: That won't stop me from voting a few million times I can get a ten-minute mail. Open 10-20 tabs to the register page and fill them in and submit them. Your system will be just flooded with fake accounts.

 

Many voting systems now use a SMS based service to vote. If someone now wants to vote a few million times you'll be rich