Best method to prevent gaming with anonymous voting

Question

I am about to write a voting method for my site. I want a method to stop people voting for the same thing twice. So far my thoughts have been:

• Drop a cookie once the vote is complete (susceptible to multi browser gaming)
• Log IP address per vote (this will fail in proxy / corporate environments)
• Force logins

My site is not account based as such, although it aggregates Twitter data, so there is scope for using Twitter OAuth as a means of identification.

What existing systems exist and how do they do this?

Answer 1

The best thing would be to disallow anonymous voting. If the user is forced to log in you can save the userid with each vote and make sure that he/she only votes once.

The cookie approach is very fragile since cookies can be deleted easily. The IP address approach has the shortcoming you yourself describe.

Answer 2

One step towards a user auth system but not all of the complications:

Get the user to enter their email address and confirm their vote, you would not eradicate gaming but you would make it harder for gamers to register another email address and then vote etc.

Might be worth the extra step.

Let us know what you end up going for.

Answer 3

If you want to go with cookies after all, use an evercookie.

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Multi-browser cheating won't be affected, of course.

Answer 4

What type of gaming do you want to protect yourself against? Someone creating a couple of bots and bombing you with thousands (millions) of requests? Or someone with no better things to do and try to make 10-20 votes?

Yes, I know: both - but which one is your main concern in here?

Using CAPTCHA together with email based voting (send a link to the email to validate the vote) might work well against bots. But a human can more or less easily exploit the email system (as I comment in one answer and post here again)

I own a custom domain and I can have any email I want within it.

Another example: if your email is myuser*@gmail.com*, you could use "[email protected]" [email protected], etc (the plus sign and the text after it are ignored and it is delivered to your account). You can also include dots in your username ([email protected]). (This only works on gmail addresses!)

To protect against humans, I don't know ever-cookie but it might be a good choice. Using OAuth integrated with twitter, FB and other networks might also work well.

Also, remember: requiring emails for someone to vote will scare many people off! You will get many less votes!

Another option is to limit the number of votes your system accepts from each ip per minute (or hour or anything else). To protect against distributed attacks, limit the total number of votes your system accepts within a timeframe.