#1: that one isn't a good idea. too many pitfalls like proxies and non-static ip user.

#2: prevent voting whitout cookies. but even then i could simply delete my cookies and then vote again

#3: combine 1 and 2. store a cookie with an id. store that id and the user ip in a text file. when a user wants to vote, check for the cookie. if you found one, that's a repeat so prevent voting. if not, check for his ip in the text file. if you have a match, there's two options: 1 the user simply deleted his cookies from his machine and wants to vote some more, or 2 it's a different user using the same proxy for example. if no ip match, then it's a legit user voting for the first time or is it?? ok I'll stop here.

anybody found ways around this?

mavherick

Any simple scheme like cookies and IPs has some major flaws. As noted above, neither of those is 100% reliable. If it is very important to avoid any multiple votes, you might have to go to some kind of userid/login scheme.

If you are just trying to avoid major vote-spamming, an IP check (or combo cookie/IP check) would probably eliminate most unsophisticated spammers.

mavherick, i don't understand how #3 would get any different results than #1.

the cookie is the fastest thing to check for so if they have the cookie they can't vote again.

if they have no cookie then check for the IP, if you find it then you will have to decide what you want to do at that point. Every single person in my office uses the same IP to surf so where does that leave us. If one of us voted no one else would be able to if you have one vote per IP.

as rogerd mentioned this method has many flaws. The user id/ login is pretty much the most effective but still doesn't stop people from multiple username signups. It all depends on how important it is to ban repeat voting. You can go on and on with complex security measures but people will still get around it if they really feel they need to. As it gets more complex it will be more time consuming to develop and then maintain as well.

I've done this several times, although all "voting" was done by email invitation.

Starting with an email list, the script gave each user a unique "password" which consisted of a random number attached to the end of the query string.

If their "password" had been used, they were transfered to another page.
If the password had not been used and was valid, they were allowed to "vote".

I take it you are doing this from a link, not as easy to do.
I'd go with the ip.
Dial-up users are less likely to log off and then back on just to vote again than they are to delete their cookies. $0.02

mavherick, i don't understand how #3 would get any different results than #1.

It relies on the fact that most people won't bother/know how to delete the cookie, so you cathc most right off the bat. If there is no cookie, you use the IP to try to check those who are deleting cookies, but as Jatar_K says, lots of people share IPs, so they get one vote as a group, and others (like me) don't get a static IP when I dial in, so I could potentially vote more than once (though eventually I would start repeating IPs as I got further into the IP block.

Tom

By the way, how many votes do you expect to get and how many cheaters? If you think you are going to get thousands of votes, you could allow some small multiple number per IP to deal with Jatar_K's case (I don't know how common that is). Most people won't vote at all, some will vote once and only a few will vote hundreds of times. If a few people vote ten times, will it really matter?

In the United States, we don't seem to worry about this for presidential elections, so how important can it be in your case? And which side has James Baker working for them?

Tom

Why not do the cookie thing, and track the IP. Place a disclaimer saying votes are tenative a final calculation. Take the IP file with a script to count them such as which IPs voted more than once. Then you can take the ones that have alot of votes and see where they came from. If they came from a corp leave them. If they came from a normal ISP then delete all but one. I know this is alot more work but if the validity of the poll is that important its worth it.