This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Unique IPs in a voting system
I am developing a small web app where it needs an online voting system using php for my college event. I was obtaining IP Address and storing it in database to prevent repeated voting from same user. But then I remembered that my college uses a proxy server so obtaining IP address is useless.
I tried accessing and storing Mac Address of the client using javascript.. I tried out a few examples that i found on the internet.. but none of them worked.
Can you guys suggest me an alternative to how can I get the results I want??
Any sort of help would be heartily appreciated.
Regards,
Aayush Shrestha
Nepal
Have them enter their email addresses and send a link to their email that allows them to vote. The link should include some hash of their email and you would have to check if they have already voted or not.
I realize that a student could enter multiple email addresses and vote multiple times, but how many emails does a student really have? And how much time would they spend doing something like that?
I'm guessing you don't have access to any sort of authentication system through your college, so this is probably the best way.
Edit:
Another idea is to use Facebook authentication (see: http://developers.facebook.com/docs/authentication/). The downside is that you have to assume that all voters have facebook accounts.
First get the user to register an email address so they can use the voting system subsequently associated with that address.
Once you have an email address (that is validated with a activation link sent to that email), then you can gather voting related input from the user.
There is really no effective, platform-independent way of preventing repeated voting unless you enforce user certificates, etc.
The only 100% airtight way to do this would be to make users create accounts that require some personally unique information to prevent a user from making multiple accounts.
The closest you can come without a login system is the Evercookie library, which stores a UUID in about a dozen different places in the user's browser. It's very difficult to clear them all out (even using a privacy mode in the browser), so if you give an Evercookie to a user when they vote, you can probably spot someone who has voted before.
Note that this stops repeat voting on the machine level, not the user level (a machine may haave multiple users, and a user may have multiple machines, which might enable repeat voters or block eligible voters).
Related
I have to make a Website where users can vote only once. I tried to register them in my db using their IP address with $_SERVER['REMOTE_ADDR'] but i did some research and found out that in some cases multiple users can have the same IP (using the same wifi or the IPS sharing IP's between them). Also, i don't want them to make an account to be able to vote, or log in with facebook, google, etc...
Is there any way to do this with PHP?
Just have a quick glance at https://github.com/samyk/evercookie. Your search will end there.
You can store to DB a fingerprint and then compare it like you did before with an IP address
https://github.com/Valve/fingerprintjs
or u can make your own fingerprint by storing user's device, it width,height,timezone,etc
But it'll fail if someone will vote with other device.
I think it must works like an Antifraud systems, but they're based on the same way I wrote.
I am writing a voting plugin for my Wordpress site. I would like for a client to be able to vote without logging in. What I have done is I have used $_SERVER['REMOTE_ADDR'] to only allow each client to vote once. Since the voting also uses AJAX, the voting is quick and easy.
However, I have run into a problem with mobile devices as they don't have unique IP addresses. What solution can I use to make sure that people cannot spam the vote button (or if someone double clicks on it, that two votes are not registered etc.) on a mobile device?
This does not need to be a fool-proof method. I realize that $_SERVER['REMOTE_ADDR'] is not foolproof either (although if anyone has any fool-proof ideas that can be implemented easily, I'd love to hear those as well).
I've build two seperate browsergames and I want them to share the same login system. So that if you have one account which you use for both games. I want this because of payment reasons (if they buy something I have to pay per website so I want all payments to come from one website) and user experience (why sign up multiple times?).
But when they first sign up and login I do not want to redirect them to the centralized system because I want the sign-up/login-proccess to be as simple as possible because I'm afraid they'll lose interest.
So I was thinking about letting them sign in to the website normally and then using cURL to send the requests to the centralized website by building an API.
I am however wondering if this is a good approach because none of the websites are on the same network. I guess I'll have to build the centralized login system in such a way that it only accepts requests from the domains the games are on. But are there any other things I have to worry about? How should I send for example passwords? Because sending them plain text seems like a horrible idea so I guess I'll have to hash them on the side of the game. I guess I'll have to make a small copy of the users table for for example the username and user_id.
I don't want to use for example OpenID or Facebook Connect or something because that does mean redirecting to an external system (which is bad for user experience) and the average age off players on the website is about fourteen, so they have no clue about OpenID and I don't want to force them to connect their Facebook accounts to my websites.
Also I'm sorry if I'm unclear or writing in bad English, I'm not a native and having a hard time expressing myself the right way.
Thanks in advance!
If I were you, i'd create a API for registration system.
Website A (game1) uses that API to create accounts and verify them, same does the website B.
API would validate data, respond with errors (username taken etc), or return success messages. It should be protected (LAN access only or some authentication)
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
I am willing to implement website where will be top 10 best members' pictures or something like that. Before voting for pictures or uploading pictures people will have to register first. But how could I protect my website from multiple accounts? Store IPs to database? But will it help me while there thousands proxies out there? What should I do? Thank you.
edit: maybe I could make accounts paid, for examples 0.99$ for month via paypal and somehow do no let people register twice with the same paypal and IP? Is it possible?
Use a confirmation code that is sent to mobile no upon registration. and confirm it. like google.
You can't stop it, but you can make it difficult and do things to detect it like you said with the IP's.
You can get a lot of data from user, not only IP but also browser version, sended headers in request, even resolution etc. with javascript. Rosolve IP to region etc. But it's not simple to write a system that would search all of that data for similarities.
You can also set cookies or even do a little swf object with cashed some information on user local hdd.
You can send mail confirmation... and don't allow multiple users from the same mail!
This is fast and easy to implement :)