Page 1 of 1

Voting twice (or more): Is there a way to prevent it?

Posted: Mon Nov 27, 2006 6:59 pm
by julian_lp
I'm writing a small script that will allow users (registered) to design and put online their surverys. Non registered ones will be able to vote though.

Given such a simple work, all is going well, but I'm afraid actually about some bad guy who can do this kind of thing:


Code: Select all

pseudocode 

for i=1 to 10000000000000

     params = "vote=the_worst_candidate";
     go_to_surveysite(params)
     change_my_session;

endfor


I'm relying on $_SESSION to reject double voting, cause I don't want to restrict the functionality only to the anonymous visitors...

Is there any way to deal with this kind of risk?

Posted: Mon Nov 27, 2006 8:14 pm
by Ambush Commander
No. You can make it difficult though, using captchas, cookies, IP address checking, etc (ordered in desirability). But none of these are foolproof.

Posted: Tue Nov 28, 2006 5:12 am
by Jenk
If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"

Posted: Tue Nov 28, 2006 7:58 am
by julian_lp
Jenk wrote:If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"

From my post:
"Non registered ones will be able to vote though." :wink:

Posted: Tue Dec 12, 2006 9:02 am
by reecec
as Ambush Commander said captchas would work as this would be to much effort for someone to keep typing the code every time to vote excessivly and ip checking would stop dupicate voting.


thanks reece

Posted: Tue Dec 12, 2006 7:25 pm
by RobertGonzalez
IP's are completely unreliable as an identification mechanism. Captchas are inconvenient, but they will not stop someone that has a few extra seconds to kill. The only way to prevent duplicate votes is to register the user in some fashion and tie that user's registration identification to the vote id so that they cannot collide.

Bear in mind that if you do not prevent duplicate registrations, then you are in the same place you started off in with this, except it is certainly more time consuming to reregister and revalidate as a user in order to vote again than it would be for someone that has no hoops to jump through at all.