Restrict User Activity Based on IP or on Cookie?

Question

I am working on a PHP script that allows users to vote on certain items. Any user whether logged in or not can vote. Consider the following cases:

1. If the user is logged in, I can log user's id, and can restrict voting on the same item if he tries to vote again.
2. If the user is not logged in, I can log user's IP, and restrict voting on the same item, from the same IP.

If it's the first case, there's no need to log the IP. Now, the second case is driving me nuts, sort of. I was wondering that it may happen that the user may be changing IP, and then votes again on the same item. Now, even if I use Cookies or Session vars, it may also happen that the user is starting a new session (or has deleted the cookies) to vote on the same item again.

Am I missing something? If not, how to handle such situations? Any thoughts?

Answer 1

I would seriously consider use a Captcha, reCaptcha is a good choice.

You could restrict by IP address, but its possible for a number of people to share 1 ip address, such as a small school or business. Its also trivial to bypass because proxies are free and plentiful. Its also error prone because sometimes a load balancer will change the IP address during a session. If you really want to limit the number of vote per person your best bet is to require them to login to a user account and store the votes in your database.