Voting twice (or more): Is there a way to prevent it?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Voting twice (or more): Is there a way to prevent it?

Post by julian_lp »

I'm writing a small script that will allow users (registered) to design and put online their surverys. Non registered ones will be able to vote though.

Given such a simple work, all is going well, but I'm afraid actually about some bad guy who can do this kind of thing:


Code: Select all

pseudocode 

for i=1 to 10000000000000

     params = "vote=the_worst_candidate";
     go_to_surveysite(params)
     change_my_session;

endfor


I'm relying on $_SESSION to reject double voting, cause I don't want to restrict the functionality only to the anonymous visitors...

Is there any way to deal with this kind of risk?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

No. You can make it difficult though, using captchas, cookies, IP address checking, etc (ordered in desirability). But none of these are foolproof.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

Jenk wrote:If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"

From my post:
"Non registered ones will be able to vote though." :wink:
reecec
Forum Contributor
Posts: 218
Joined: Sun Apr 02, 2006 7:12 am

Post by reecec »

as Ambush Commander said captchas would work as this would be to much effort for someone to keep typing the code every time to vote excessivly and ip checking would stop dupicate voting.


thanks reece
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

IP's are completely unreliable as an identification mechanism. Captchas are inconvenient, but they will not stop someone that has a few extra seconds to kill. The only way to prevent duplicate votes is to register the user in some fashion and tie that user's registration identification to the vote id so that they cannot collide.

Bear in mind that if you do not prevent duplicate registrations, then you are in the same place you started off in with this, except it is certainly more time consuming to reregister and revalidate as a user in order to vote again than it would be for someone that has no hoops to jump through at all.
Post Reply