Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure voting system with php without login

Tags:

php

cookies

ip

voting

vote

Is there a way to make a reasonably secure system to vote without having to login. I now use cookies to set if the person has voted yet and also insert the users ip in the database.

If that user removes his cookies, he will be able to vote again. That's why I do a check if the user's ip exists in the database and if that IP has voted in the last 30 seconds. That way he'll have to remove his cookies and change his IP address to vote again.

I know there's no 100% failproof solution to this, but is there a more secure way to do this?

like image 516
Steven Dobbelaere Avatar asked Jun 27 '12 13:06

Steven Dobbelaere

2 Answers

There are two ways that could improve your results, but read and judge for yourself, if you need them:

More persistent cookies

There is the Evercookie project, which stores cookie-like information in a lot of places. It is much harder to delete than just normal cookies.

I personally think that this project should be considered a proof of concept and actually using it would be unethical

Better user recognition

Instead of just looking at the IP address in order to identify a returning visitor, you could use Browser fingerprinting. The EFF has shown with their Panopticlick project, that the combination of Browser version, OS version, installed add-ons etc. is often unique. The Piwik web analytics tool also uses this kind of user heuristics to tell visitors apart. I don't know the implementation, but it's FOSS and in PHP, so you should be able to find that part.

like image 184
pixelistik Avatar answered Nov 12 '22 17:11

pixelistik

You can run with both of those solutions in unison - but it's still not very secure. You could go as far as blocking a subnet from voting (192.168.1.xxx) to prevent against dynamic IP changes, but then you're also blocking up to 254 people from voting - and it won't prevent against a proxy.

One method I've seen used quite a bit is making it look like you allow duplicate votes; i.e: show it on the end user's end that their duplicate vote has been counted, but don't actually count it in your own database.

But realistically, a login system is about the only relatively "secure" way of doing this - but if someone is determined enough, that can obviously be gamed too.

Hope this helps.

  • Eoghan
like image 25
Eoghan Avatar answered Nov 12 '22 18:11

Eoghan
Sign in to Comment

Related questions

PHP MySQL Error logging and handling - best practice
Symfony 2 websockets
Bypassing Captcha with curl in PHP
How to get browser sessionId using Selenium webdriver
Does PHP's fopen() protect against typical attacks when accessing https resources?
Using php + gearman + node.js
Returning by reference
PHP SPL ArrayIterator v simple foreach
Is there any way to generate "fake" rows in MySQL result set?
php curl - accessing url with http authentication (need help)
php datetime doesn't match with my windows system
Chrome - Save to PDF function use in a website
Magento Custom Payment Gateway not firing 'authorize' or 'capture' methods
Deregister style.css in WordPress
PHP Processing Fragment Identifier in URL
Doctrine 2.2 + Zend Framework pagination speed optimization
Make user input safe for XML
MySQL fixing autoincrement gaps in two tables
create attribute set in Magento setup script
Dynamic select array in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!