Jump to content

'Protecting' a polling mod which does not require logins

Merdok

By Merdok
in PHP Coding Help

 Share

Recommended Posts

Merdok Member

Merdok

Posted
Posted

Hi Guys,

 

I've built a polling mod for a website and it is very important that the site allows anyone to vote whether registered or not. I set the voting mod to put a cookie on the users machine to register when that computer has placed their vote. However someone has already worked out that if they disable cookies they can dramatically skew the vote however they wish.

 

Is it possible for me to do a check to see if cookies exist and then only show the polling module to those who have it enabled? If it has to be done in javascript then that is fine, however in this instance it will need to display the form only if JavaScript AND cookies are enabled.

Link to comment
Share on other sites
mattal999 Regular Member

mattal999

Posted
Posted

Well to make it very secure you could:

  • Log each visitors IP when they vote, and check that it is in the database before you show the module (Do a last-voted date thing) - To bypass this they would have to keep swapping proxy.
  • Create a cookie - To bypass this they would delete their cookies.
  • Create a session (Which can't be deleted client side, but I'm not sure how long before they expire) - They cannot bypass this.

All of these in combination would make it very hard to beat.

 

Link to comment
Share on other sites
fr34k Newbie

fr34k

Posted
Posted

  • Create a session (Which can't be deleted client side, but I'm not sure how long before they expire) - They cannot bypass this.

 

If memory serves, the ID for a user's PHP session is carried over from one request to another either by cookie or the session ID being sent as a parameter with the client's request (like in the URL.)  Because of this, a person would be able to "reset" their session data by either deleting the cookie value or just removing the session ID from their requests (editing the ID out of the URL, etc.)

Link to comment
Share on other sites
mattal999 Regular Member

mattal999

Posted
Posted

  • Create a session (Which can't be deleted client side, but I'm not sure how long before they expire) - They cannot bypass this.

 

If memory serves, the ID for a user's PHP session is carried over from one request to another either by cookie or the session ID being sent as a parameter with the client's request (like in the URL.)  Because of this, a person would be able to "reset" their session data by either deleting the cookie value or just removing the session ID from their requests (editing the ID out of the URL, etc.)

I think you misunderstood what I meant. The thing that you are talking about is the sessionid which is sometimes appended to the end of a URL. I don't believe this has anything to do with a $_SESSION variable. Correct me if I am wrong, of course.

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

When you call session_start() with session.cookie_httponly off, then it creates a cookie otherwise it searches for a session.name parameter that should hold the value for session_id() and loads the corresponding session if their is one.

 

What fr34k said was thus correct, you probably misunderstood.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.