Programming strategies for allowing anonymous / unauthenticated voting on web sites

Question

I'd like some pseudo-code or white board suggestions for permitting unauthenticated voting on my site. I've looked through related threads on this topic, but I think my scenario is different enough to warrant its own thread.

There are 3 core scenarios I want to support.

1) Authenticated user "Joe Blow" logs on to my site and votes. Since he's authenticated he only gets to vote once. For each vote he makes, I store his UserId in the DB

2) Unauthenticated user "Sally" visits my site and votes. Since she's unauthenticated, I'll save her vote under a user account called "Anonymous-Users-From-My-Site".

3) Unauthenticated user "Zoltan" uses a widget that I built to hit my site from some other partner site that hosts my widget. He can also vote from that site. I'll save his vote under a partner user account called "Anonymous-Users-From-A-Partner-Site".

The twist here is that I need to support the ability of "Sally" and "Zoltan" to vote on an unlimited number of things. Maybe Sally wants to vote on 500 things in one day. Maybe Zoltan wants to vote on 200 things on the partner site. Maybe Sally doesn't revisit the site for a month, then comes back to vote on more stuff.

How can I achieve scenarios 2 & 3 with a cookie? Do I hash all of the item ID's for the votes together? What are my options?

FWIW: I plan to make a hard distinction when tallying up the votes. I'll make it clear that anonymous votes are just that -- anonymous. People will understand to use a measure of skepticism when viewing the results. But I still think there's value in allowing unauthenticated users to vote, even if they can game the system by using multiple browsers or deleting their cookies after each vote. If users voting on my site have to do at least this, then I'll be satisfied.

And lastly: I am not interested in using something like an EverCookie. For my needs, that's total overkill.

Answer 1

I personally wouldn't lump any unauthenticated entries against a SINGLE user... instead, I would have a table of unauthenticated responses. The first time a person votes - you insert into that table, and store the autokey (ID) in his cookie. If he deletes his cookies... who cares. But this should solve all of your needs.

This way you're not trying to "fake" logic by parsing out comma separated 'votes'... but rather you're just going to pretend that they are a regular user and hit your DB to pull their votes.