How to remember an anonymous vote

Question

What is the best way to implement a "memory" or persistence for an anonymous vote? The other day I was browsing some site (unfortunately I forgot the URL), and I could quickly "thumbs up" or "thumbs down" an item. So I voted on several items. I then closed all my browser instances, deleted all the browser history and files. I went back to the site to vote on some of the same items but it "knew" that I had already voted. So I am wondering what's the best way to accomplish this

I have read about evercookies, but somehow they don't seem like a nice way to treat your users. I don’t want to go that way. Or are evercookies the only way to accomplish this?

If evercookies were not the mechanism behind this then the only way I can think of is to remember the client's IP + User Agent + something else. But what is "something else"?

Any thoughts?

Regards, Archil

Answer 1

Sites may use a combination of the following to try and identify flooding or abuse of a form such as an online poll. No method is completely infallible; in fact, most are trivial to fool.

Identifying the same person:

• Setting a cookie (such as a session cookie)
• Comparing the IP address
• A hueristic approach having a cookie, and comparing part of the IP address (a /24 subnet) and/or user-agent as a backup when there's no cookie.

Preventing other types of abuse:

• Flood control: don't allow more than a certain number of votes per minute from a certain IP subset, or from everyone.
• Spam detection: try to detect bots by signature (eg malformed user-agent or accepts header, etc)

Making the user jump through hoops:

• CAPTCHA/robot detection
• Making the user confirm their vote by email
• Making the user register, provide a unique email address, confirm the email address

For every measure there's an equal and opposite counter-measure. For example, an abuser might ignore cookies, vary his user-agent or use an anonymiser service that varies his IP address for every request. He might sign up using multiple accounts with throw-away email addresses, and there are even ways to try and defeat CAPTCHA (eg. replay the CAPTCHA for users on another site).

Note that to someone who is determined to disrupt, an evercookie doesn't do much more for you than a cookie. They wouldn't affect a bot, for example.

I personally do not like to use the barriers that make users jump through hoops. Hopefully I've demonstrated that even if you require registration you are not guarding against abusers all that much more than you would with a good flood control algorithm, since it's trivial to get multiple throwaway email addresses.