Voting system - enforcing unique votes

**nicky77** · May 19, 2009 02:30

Hi guys, just setting up a simple voting system for a client and I'm wondering how best to ensure that no-one submits multiple votes. The problem is that it's a large company and a company wide email will be sent to all staff to invite them to vote on the web page i'm setting up, so it's not really practical to generate individual logins for each staff member - plus it would possibly be overkill to ask staff to login to cast a vote on something which is basically just a bit of fun. Logging the IP address of each voter wouldn't really work either as staff in the same office would be likely (i think) to be using the same remote IP.

So i'm pondering storing cookie data for each user and logging this in the database alongside each vote, allowing me to check for unique votes. Does this seem a reasonable approach? To be honest, this doesn't need to be absolutely watertight and obviously people could clear their cookies and vote again if they really wanted to.

**r937** · May 19, 2009 02:45

if staff in a remote office all use the same IP, what are you gonna put in the cookie? how will you know it's not somebody different each time? what data are you going to assign to a user to check if it's been duplicated?

**guido2004** · May 19, 2009 02:48

You could generate a random key for each staff member, save them in your database, and add them to the link to your page in your mail (i.e. 'http://www.companywebsite.com/yourpage/index.php?key=uwyrgrthvjf84y7834y7ytuiert'). They can vote clicking on the link (without having to log in), and you can keep track of which codes have already cast a vote.

**AnthonySterling** · May 19, 2009 02:57

Originally Posted by guido2004

You could generate a random key for each staff member, save them in your database, and add them to the link to your page in your mail (i.e. 'http://www.companywebsite.com/yourpage/index.php?key=uwyrgrthvjf84y7834y7ytuiert'). They can vote clicking on the link (without having to log in), and you can keep track of which codes have already cast a vote.

Although a little bit more work upfront on the email side of things, this gets my vote.

**nicky77** · May 19, 2009 03:01

@r937 - yep, good point - didn't really think that one through properly. Now I think about it, can't really see how to use cookies here without it being a really flimsy approach.

@guido - i thought of doing something like that, but it looks like the client will be using an email template and sending it out (with the link) to all their staff (more than 500) and i don't think it's going to be feasible to create a different link for each staff member, esp as this would also mean individual emails being sent by the client, instead of a blanket internal mail. Maybe the only way for me to do this would be to get access to the staff list, then i could set something up to run through the email list sending the email with a dynamically generated random key appended to the link and logged in the db (as you suggest)

**Cups** · May 19, 2009 03:11

If you are on an IIS/NT based system you could try this:

PHP Code:


echo $_SERVER["PHP_AUTH_USER"];

Might give you your current logged in (win) user name.

Way back in the mists of time I recall doing something similar for an intranet KM system, I think that was how I did it - just an idea.

**nicky77** · May 19, 2009 03:38

Hi Cups - thanks for the suggestion, but i'm on Apache so i don't think this is an option.

Cheers to all for the replies, i'll need to go back to the client and explain the situation and take it from there

**AnthonySterling** · May 19, 2009 04:04

Originally Posted by r937

if staff in a remote office all use the same IP, what are you gonna put in the cookie? how will you know it's not somebody different each time? what data are you going to assign to a user to check if it's been duplicated?

Actually, why does the cookie have to contain anything identifying? Surely the presence of the cookie is the only thing we need here.

Pseudo:

PHP Code:


<?php
if(isset($_COOKIE['voted']) === false)
{
    doVote();
    $_COOKIE['voted'] = true;
}
header('Location: http://www.yourserver.com/thanks.php');
exit;
?>

**nicky77** · May 19, 2009 06:35

@silver - you're right! i don't need to extract any information from the cookie, i only need to know if it exists. many thanks

**crmalibu** · May 19, 2009 08:02

Well, if more than one user may vote from the same computer, then it does matter. Although, I think the browser should keep the cookies seperate so long as a different user logs on to the computer.

You could also ask for thier name, or employee number or something when they vote.

**sk89q** · May 19, 2009 09:12

If everyone is using IE, and you are using Windows for the network, then you might want to look into Microsoft's proprietary HTTP NTLM authentication. I haven't deeply looked into it though, so I can't help you further than that. However, I believe that you will have to enable in on client systems and the site with the voting form needs to be in the Intranet zone, but if you can push group policies onto systems, then I suppose that that's not an issue.

Of course, that might be complete overkill for your needs.

**felgall** · May 19, 2009 12:35

If you use a cookie to trAck it then all anyone has to do to vote again is delete the cookie.

User Tag List

Thread: Voting system - enforcing unique votes

Thread Tools

Display

Voting system - enforcing unique votes

Bookmarks

Bookmarks

Posting Permissions