secure ****-clone voting

[grafenberg]

Hi all, I'm writing a script to allow users to vote on news articles, and I'm unsure how to go about securing the vote button from double voting, or other's voting in other's names.

the script is simple at the moment, it simply passes the article id and user id's to in an ajax call, and then the article is promoted. But, This certainly can't be secure as it would seem to me that someone could find a way of changing the user id, so the vote would count in another's name. I've noticed that **** and pligg both are passing md5 hash's around in the ajax calls, but as to how this is being used to secure the voting process is beyond me.

I'll continue to ponder this, but any info or advice would be well appreciated.

thanks,

[grafenberg]

erm... **** is sitepoint slang for d i g g.

curious why it should be parsed out though... over-modding is a baaaaad thing IMO

[Dan Grossman]

Keep the user's ID in a session rather than the URL; the user can't modify it.

As for ****... they have this policy where if your forum is used for "**** me and I'll **** you" type activity, they'll ban your entire domain. SitePoint doesn't want its domain banned. Moderators can't catch everything instantly.

[grafenberg]

thanks Dan..

unfortunately I'm using ajax to do the "promoting". so it means that user sessions aren't available to the php document in question, and must be submitted via javascript call, and hence must be dumped into html the document.. I do not know if it is possible to change page content inside the browser (maybe with grease monkey?), so I'm not even sure if this is something to be concerned with... but currently I've assigned security keys to each user which get passed along with the id on each story promotion request, which would prevent a hacker from simply having to change the user id from 6 to 7, and getting to vote twice.. he would need to know the users id and corresponding security key to exploit it..

i suppose it'll work, unless anyone can see a flaw with this...

thanks. I'll show it off when it's done innit.

[Dan Grossman]

Your JavaScript call which saves the vote sends an HTTP request to a PHP script. That PHP script has access to the session, which contains the user ID from when the user initially logged in. Therefore you do have access to the user ID and the entire process is secure. The user ID, nor any other identifying key, need not appear anywhere in the HTML of the page to be tracked.

If necessary I could write some example code, but it's pretty straightforward. Your XMLHttpRequest is simply something like http://www.example.com/savevote.php?...&vote=thumbsup. The savevote.php file reads the user ID from $_SESSION where it was placed when the user logged in at an earlier time. That allows you to prevent duplicate voting by checking if a vote already exists by that user ID for that article (by either a SELECT query or putting a UNIQUE constraint on the column forcing another vote's INSERT query to fail).