March 20th, 2010, 11:48 AM
One vote per IP address on a poll?
Hello everyone ,
I have an online poll which allows people to vote. I have used a captcha to stop bots from making votes. However I want to make sure that only one person can vote ever. Now I know this is impossible if personal identification data about the user isnít stored (e.g. a fingerprint lol). So I guessed that the best way to do this would be to store their IP address and only allow one vote per address. I know this means that many people using a network or computer with the same address wonít be able to vote but I cant think of any other way.
My question is what would be the best way to obtain the IP address? Should I use $_SERVER['REMOTE_ADDR'] ? But then users will be able to go through a proxy. So I can use: $_SERVER['HTTP_CLIENT_IP'] or $_SERVER['HTTP_X_FORWARDED_FOR']. But canít they be faked? I donít know how difficult it is to fake HTTP headers and if someone would bother doing it along side with having to fill in the captcha if they want to rig the poll. So what is my best bet? To stick with $_SERVER['REMOTE_ADDR'] ?
My greater concern is non static addresses. In some places they may still be using dialup connection alongside with dynamic address every time they connect to the Internet. Thus they would get the chance to have multiple votes. Is this concern of mine valid or have I completely misunderstood the situation? Or am I missing something very fundamental?
March 20th, 2010, 12:03 PM
Don't get too fancy with it, as you've already surmised IP address isn't a good way of uniquely identifying a person or even a computer, but it is one of the few viable options.
Anonymous proxies don't forward the IP address of the original requester, and if someone is trying to get around you using a proxy they are going to use an anonymous proxy. There is no way to determine the IP address of the original requester unless the proxy chooses to tell you.
Most ISPs provide customers with dynamic IP addresses, this includes both dialup and broadband connections. Very few ISPs provide residential customers with static IPs. A dynamic IP address would give someone multiple opportunities to vote, and there is really nothing you can do about it.
When it comes to polls the best thing to do is require registration with E-Mail verification. Still no where near foolproof, but more so than IP addresses.
Comments on this post
March 20th, 2010, 12:41 PM
Hey, I agree with the above poster (didn't catch his/her name).
What I would do is make users 'sign up' using an email address that they would use to login -- assuming you want this rule. In your DB or whatever you're using to store poll results, allow just one vote per email. If users wanted to vote twice, they would have to create another email account. Combined with your server methods and your CAPTCHA it would be pretty difficult for users to vote multiple times.
March 20th, 2010, 09:21 PM
Thank you again E-Oreo Thank was the information I was looking for.
I just did implement an email method.
March 20th, 2010, 09:44 PM
I'm really interested in this. Limiting users to 1 and not multiple must be essential to many web applications, surley somebody must know a method?
Yes, using an email to limit your poll results would be an easier method then usin' an IP, but that dosen't make it a solution.
Originally Posted by romario
March 21st, 2010, 09:12 AM
It's not possible to know something that doesn't exist.