I’m working on creating a poll system for a website i’m working on. What is the best way to enforce allowing users to only vote 1 time, even if they are not a registered user?
I’m not entirely sure where to start with this. What ideas should I google and what research should I read?
This is my first asp.net project. If I were programming this in php I would probably use a combination of IP logging and session/cookie variables. How is this approached in asp.net?
Yes, you would also use a cookie. You will need to create a custom cookie once the user has voted. And check if that cookie is present or not. You can google “Working with cookies in asp.net”
But it is quite simple:
Request.Cookies[“cookieName”] to get the cookie
and
Response.Cookies[“cookieName”] to add cookies
Altho it is usually better to work with classes:
Cookie c = new Cookie(“name”);
Response.Cookies.Add(c);
Just make sure you set expiry dates, etc. But I am sure you know that from you PHP. And I am also sure you know, cookies are not rock solid. As I can just clear my cookies and vote again.
If you want to avoid cookies (my anti-virus program deletes my cookies), and avoid cheating, I would store/check if the IP has been used before, by storing them into a database. Session, no. Just go to a different website, and come back, you could vote again. If you do go the IP/Database route, do the databse logic in the application config file, application_start. Or, you could just add it in the actual webpage/control. BTW, does anyone reccomend the app.config solution, or do you think it is to taxing?
That would limit voting to one vote per household as they will share an IP. You can also cycle IPs, if your IP isn’t permanent, by rebooting your modem or router.
Perhaps a registry system is another solution. Offer one vote per email address or something like that. It’s still defeatable though.
Ah yes, I forgot about dynamic IP’s. You could use e-mail address, but then you can make up e-mail addresses on-the-fly. Unless you made the voter validate the poll through an e-mail that has a link to validate the vote, but that would be like killing a fly with a bazooka.
Your right however, nothing is full-proof, it is the internet.
You could try a combination of everything. Cookies and a combination of IP address and hostname. But like said above. There is no full proof way bar making the user register and log in to vote
Ya I had considered the IP route. My only concern was eliminating many people using the same IP. A good portion of the target audience will be college aged students. By using an IP method I could potentially block out many on campus students who are connected to the same local router/network. I hadn’t considered the email idea, but thats even easier to fake than an ip and if I force users to confirm email addresses that is the same as becoming a registered user. At that point the current problem wouldn’t exist because there wouldn’t be such thing as an anonymous user.
I think the best route for now is to use cookies. However, i’ll continue to think on it because this is not terribly ideal either. Any other tricks up your sleeves?
Try what I suggested maybe. Using their IP address and hostname to validate them. And hopefully 2 PCs will not have the same name on the same IP. But if they are really going to go through all the trouble of changing their computer name, just to vote again, then I dnt no. lol