Stopping users voting multiple times on a website
Asked Answered
D

16

29

I'm planning to add some vote up/vote down buttons to a website I run. This seems easy enough but I want to stop people voting multiple times. One solution would be to make them register before allowing them to vote but I'd prefer not to have to force them to register.

Is there are a reasonably straightforward way of doing this? Checking the IP address doesn't seem like a good solution, since it's possible that multiple users may come from the same IP address.

Cookies might be the answer, but a savvy user could delete the cookie. Any better ideas?

Dipietro answered 21/2, 2009 at 10:6 Comment(0)
L
24

Sorry I don't have a useful answer, I just want to share my experience.

About 8 years ago I worked for a site that ran online polls. We once got hacked by some bots voting on some of our questions several hundred votes a minute.

I had to implement some emergency checks: IP address, cookies, and I really don't remember what else.

At the end of the day we decided to take the polls down. Those damn robots just didn't care. IP adresses were spoofed, cookies were being deleted, etc.

If you really really need the polls to be unhackeable I don't see any other way that requiring registration and using captchas to avoid bots signing up for new accounts.

And the sad thing is that this was just an entertainment site with polls on what's your favorite color and things like that.

The only thing we didn't tried was using captchas because they didn't exist at the time. That might have reduced non-human cheating a good deal.

Don't take this as any kind of expert advice on the matter, because that was the only time I had anything to do with online polls, but I remembered my story and wanted to share.

Lungki answered 21/2, 2009 at 10:25 Comment(4)
You cannot spoof an IP adress?Arrest
Under special circumstances, yes you can. Also, there is proxying and other means of changing your IP, and botnets and router hacking and whatnot. IP addresses are still good for many uses, but Fort Knox they are notCia
I'm not an expert in TCP/IP, but I suppose you should be able to easily spoof an IP adress at the packet level if all you care is about making a request (like in a DoS attack) and you are not expecting to get the response back. But I know I could be wrong.Lungki
@Sergio: it's not completely trivial for TCP/IP since even a simple HTTP request requires a handshake with the server which is rather hard to get right if you can't "hear" the servers answer.Telescopic
C
8

I think it really comes down to the nature of your website, and how accurate your results needed to be.

Using a cookie seems like the best option, but it depends on the target audience of your website. Would they be tech-savvy enough to try and beat the system to allow them to vote multiple times? If not, the risk should be fairly low and this would seem like the best approach.

Checking against an IP address, as you said, may be too restrictive. But if it's critical for all votes to be from unique individuals, this might be the better approach even if it means some legitimate voters won't get to vote.

I thought of another option, but I'm not sure if it's possible or feasible. If you could combine the IP address approach with a hardware based check (e.g. MAC address of NIC) this would eliminate the IP address approach being too restrictive due to NAT within a LAN. But it wouldn't help the situation where you have a computer in an Internet cafe used by different individuals.

You should also use captcha (for non registered accounts) to reduce the likelihood of voting bots. If someone wants to maliciously cast multiple votes, making it more difficult for them to automate the voting process through bots will help to hopefully reduce the occurrence of such behaviour.

Cobb answered 21/2, 2009 at 10:16 Comment(3)
MAC addresses are not exposed in http headers. Hence a web site can't use themJournalistic
@HermanD - Yeah that was a silly suggestion now that I think about it. Maybe another field in the TCP segment or IP header which is unique? The only problem is that the TCP connection will be reset each time, so this wouldn't be feasible either.Cobb
@LeopardSkinPillBoxHat: also, without some deep-level-hacking of the webserver, you won't get at TCP data from your HTTP app (and that's a good thing, most of the time)Stepper
P
6

So, you want to have each unique person have only one vote on each item. When a person tries to vote who has already voted before, you want to detect this. This means that you have to identify the person. There are no tricks to get around that.

Now, since persons can log in from any computer, identifying the computer doesn't help. This rules out IP checks and cookies, as well as anything else based on the user's hardware.

How to identify a person? You can't. You can only force them to identify themselves, by providing unique credentials, like a social security number (I think this is often used in Korea), a passport number, or similar. This, of course, doesn't help if you don't check it, since anyone can make up a 10 digit number with little chance of collision.

Even having the user register doesn't really help per se -- they can just register another account.

Papist answered 21/2, 2009 at 10:28 Comment(1)
yeah but they most likely wont register tons of accounts just for fakeing a few votes :)Stopover
H
5

I wonder if you could make it a multi-step process, to make it more difficult for BOTs.

Registering, or some similar task, gets you Cookie-A, and then when you vote you get Cookie-B, but if you have Cookie-B and don't have a suitable matching Cookie-A your vote doesn't count. If you try to re-register on the same machine that can be detected by you already having Cookie-A. Going through the steps too fast is treated as a BOT.

We had a psychometric test, with many questions, and users had to make thoughtful answers. An answer in sub-N seconds was someone just pressing buttons to get through it. We never told them that their answer was too quick, we just marked the data as "suspect".

So anyone trying to go straight to the Vote Button won't work. They would have to do Step-A, then Step-b then Step-C in order.

To re-vote I would have to clear cookies, re-register, read the blurb-page (whatever) and finally re-vote, all in the right order, and not too fast.

Requiring JavaScript to be enabled may help, as may a Captcha system. Captcha could have some sort of delay - "Please watch as the two words appear" so that there are two words, shown one after another, but "real words" so that they can be easily memorised, and then typed in. Any response that is "too fast" is not valid.

At some point people will just become annoyed and not bother though.

Harpoon answered 21/2, 2009 at 13:32 Comment(0)
P
3

Obviously you need to identify the user so he can only vote once. But identify the user does'nt mean you have to pop up a login screen. As said above you can ask for the email address, ans use it as an identfier.

No one mention the way stackoverflow works, if the user has something to win (here reptutation) when becoming a register user and if the login process is as simple as giving an email address, then that's a win-win situation in wich the user is happy to login and vote, and you're happy to have him registered and voting things (and only once per question).

Jeff Atwood wrote an article about the "login barrier", wich may give you clues.

Photography answered 14/3, 2009 at 0:46 Comment(0)
A
3

I once created a voting system for a contest. I was restricted from limiting votes by IP due to the fact that multiple people would be legitimately voting from the same IPs. As such, I went with the email confirmation method, requiring each voter to input an email address which a confirmation link was sent to, which, once clicked, would activate their vote and prevent additional votes using that address.

It did not work well. People created hundreds of false email addresses on various free sites.

What did work in the runoff vote, somewhat surprisingly, was adding the email address/vote pairs to a database but not immediately sending the confirmation emails out. Instead, I had a cron job send the batch of them every 15 minutes or so. This adds an additional complication for people registering many addresses, as they have to either leave them all open or remember the login info for each of them at some point in the future.

Of course, still easily bypassed for someone motivated enough, but it seemed to work well in this case.

Adamski answered 7/9, 2009 at 15:12 Comment(0)
S
1

I've never used a system like this, but try to identify a user by their browser's fingerprint. This jQuery plugin combines screen size, color depth, user timezone, and installed plugins to create a unique ID of a user. Definitely not foolproof, but it's a different approach.

Sestertium answered 28/9, 2011 at 23:35 Comment(0)
C
0

There's no accurate way to avoid multiple votes from the same user, even if they don't delete cookies, they can use another browser, or another computer.

Cosper answered 21/2, 2009 at 10:15 Comment(0)
E
0

I think you should register user before he up / down vote. You can get a little piece of information from the user to get registered, so he does not bored or break his registeration. Afterwards he can update his account if he wants. IMHO this is the best solution.

Echevarria answered 21/2, 2009 at 10:18 Comment(0)
J
0

As has been said there is no 'perfect' solution.

As an attempt at an imperfect solution, how about storing a hash of the IP address and the User agent.

This would mean that different users from a given IP, which have different browser user agents, can still vote.

Journalistic answered 21/2, 2009 at 10:34 Comment(0)
P
0

Use a cookie-based approach, it is accurate enough for most entertainment-grade polls on the web. Stay away from IP restrictions. This would mean that only one person from larger companies gets to vote and that only one person in a family gets to vote.

Polyzoic answered 21/2, 2009 at 11:24 Comment(1)
What about those who browse with cookies blocked by default?Colobus
R
0

Also a possibility:

let the user vote and fill out his emailaddress. The user receives a confirmationemail with a link he needs to click in order to confirm his vote.

But this way, the user also has quite some overhead.

Or do this in combination with registered userss (who will not be forced to confirm)

Rail answered 24/2, 2009 at 12:22 Comment(0)
M
0

I know that this is an old thread. In any case I suggest to use evercookie (http://samy.pl/evercookie/) to track a user that have already voted!

Midterm answered 14/10, 2015 at 22:23 Comment(0)
B
0

It's matter of how many identities a single person can control. The more harder you make for a single person to control multiple identities the more secure your poll will be.

For entertainment grade polls where the results doesn't matter, single cookie approach is enough. Very easy to circumvent if the user opens icognito windows.

Better protection can be obtained if you put a registration barrier, you can use OAuth based logins for seamless authentication, it would take some effort to switch accounts for more votes. But this doesn't stop the desperate ones to vote multiple times.

Even better if you send confirmation code in SMS. Though people may own multiple phone numbers, it's not common to have a considerable number of phone numbers to execute a fraud. But this approach costs money for you and can be abused by DoSing the server to exhaust all the SMSes.

If you want goverment-grade polls, where the votes can decide an election. Then you should have the voters show up in the registration office to apply for the poll and let them choose one from the prepared PIN envelopes, which contains a long hash they can enter when casting the vote. So unless the organizers commit a fraud then voters can't. This also ensures anonymity.

Briarroot answered 6/1, 2016 at 16:56 Comment(0)
A
0

An old question but for to touch on new ways - these days there are many Poll services out there who work tirelessly to implement numerous measures to avoid dupe votes, and constantly tweak their systems to counter new ways people introduce to circumvent etc. Doing this yourself is a job in itself.

They even offer branding. And large corporations use them, so it's not like your company will look bad for outsourcing a poll.


If you need to do it yourself.

As has been said, registration is the only sure fire way. If it's really important to avoid dupe votes (i.e. it's not just fave colour or something trivial/fun) then you can also limit voting to a link you send to their email they registered with.

While still not fool proof (nothing is) at least you force them to have a genuine email address which they have access to. This isn't too much trouble for users voting, but makes it fiddly to make many dupe votes - registering, waiting for email, using the link, etc.

Aphrodisiac answered 1/3, 2020 at 17:47 Comment(0)
C
-2

You already named all usable solutions. ;) It's your task to decide now.

I'd recommend combining an IP and cookie check.

Cristycriswell answered 21/2, 2009 at 10:9 Comment(1)
Cookies are under control of the client, and therefore easy to avert. Not recommendable IMO.Badge

© 2022 - 2024 — McMap. All rights reserved.