Stopping users voting multiple times on a website

Question

I'm planning to add some vote up/vote down buttons to a website I run. This seems easy enough but I want to stop people voting multiple times. One solution would be to make them register before allowing them to vote but I'd prefer not to have to force them to register.

Is there are a reasonably straightforward way of doing this? Checking the IP address doesn't seem like a good solution, since it's possible that multiple users may come from the same IP address.

Cookies might be the answer, but a savvy user could delete the cookie. Any better ideas?

Answer 1

Sorry I don't have a useful answer, I just want to share my experience.

About 8 years ago I worked for a site that ran online polls. We once got hacked by some bots voting on some of our questions several hundred votes a minute.

I had to implement some emergency checks: IP address, cookies, and I really don't remember what else.

At the end of the day we decided to take the polls down. Those damn robots just didn't care. IP adresses were spoofed, cookies were being deleted, etc.

If you really really need the polls to be unhackeable I don't see any other way that requiring registration and using captchas to avoid bots signing up for new accounts.

And the sad thing is that this was just an entertainment site with polls on what's your favorite color and things like that.

The only thing we didn't tried was using captchas because they didn't exist at the time. That might have reduced non-human cheating a good deal.

Don't take this as any kind of expert advice on the matter, because that was the only time I had anything to do with online polls, but I remembered my story and wanted to share.

Answer 2

I think it really comes down to the nature of your website, and how accurate your results needed to be.

Using a cookie seems like the best option, but it depends on the target audience of your website. Would they be tech-savvy enough to try and beat the system to allow them to vote multiple times? If not, the risk should be fairly low and this would seem like the best approach.

Checking against an IP address, as you said, may be too restrictive. But if it's critical for all votes to be from unique individuals, this might be the better approach even if it means some legitimate voters won't get to vote.

I thought of another option, but I'm not sure if it's possible or feasible. If you could combine the IP address approach with a hardware based check (e.g. MAC address of NIC) this would eliminate the IP address approach being too restrictive due to NAT within a LAN. But it wouldn't help the situation where you have a computer in an Internet cafe used by different individuals.

You should also use captcha (for non registered accounts) to reduce the likelihood of voting bots. If someone wants to maliciously cast multiple votes, making it more difficult for them to automate the voting process through bots will help to hopefully reduce the occurrence of such behaviour.

Answer 3

So, you want to have each unique person have only one vote on each item. When a person tries to vote who has already voted before, you want to detect this. This means that you have to identify the person. There are no tricks to get around that.

Now, since persons can log in from any computer, identifying the computer doesn't help. This rules out IP checks and cookies, as well as anything else based on the user's hardware.

How to identify a person? You can't. You can only force them to identify themselves, by providing unique credentials, like a social security number (I think this is often used in Korea), a passport number, or similar. This, of course, doesn't help if you don't check it, since anyone can make up a 10 digit number with little chance of collision.

Even having the user register doesn't really help per se -- they can just register another account.

Answer 4

I wonder if you could make it a multi-step process, to make it more difficult for BOTs.

Registering, or some similar task, gets you Cookie-A, and then when you vote you get Cookie-B, but if you have Cookie-B and don't have a suitable matching Cookie-A your vote doesn't count. If you try to re-register on the same machine that can be detected by you already having Cookie-A. Going through the steps too fast is treated as a BOT.

We had a psychometric test, with many questions, and users had to make thoughtful answers. An answer in sub-N seconds was someone just pressing buttons to get through it. We never told them that their answer was too quick, we just marked the data as "suspect".

So anyone trying to go straight to the Vote Button won't work. They would have to do Step-A, then Step-b then Step-C in order.

To re-vote I would have to clear cookies, re-register, read the blurb-page (whatever) and finally re-vote, all in the right order, and not too fast.

Requiring JavaScript to be enabled may help, as may a Captcha system. Captcha could have some sort of delay - "Please watch as the two words appear" so that there are two words, shown one after another, but "real words" so that they can be easily memorised, and then typed in. Any response that is "too fast" is not valid.

At some point people will just become annoyed and not bother though.