Im creating a website which allows people to vote for various things. The website has various “polls” on it and you don’t have to register to vote.
Now, I cant figure out how to stop the same person voting twice on one poll and not stop them from voting on all the polls on the site. Should I use a cookie or something?
Any ideas? I hope what I am asking is clear…
Thanks…
Cookies is most probably the best way. Though there’s no 100% sure way to prevent multiple voting.
Hey,
Thanks. I dont really mind if some people vote twice etc… In fact I dont even mind if they can vote again next time they log onto the website…
Can anyone give me a little sample of code to show me how its done with a cookie?
Thanks again!
as php_daemon the usual method is to issue a cookie, if the cookie exists dont let the vote happen.
The only other method to allow anonymous people voting more than once that I can think of is for example to log their IP or something similar that is fairly unique in a database and check this unique data before logging the vote. The problem however with this method is for example using the IP, AOL users a lot of the time will have a different IP every time they visit a page and will be able to vote continuously or if someone is behind a large network that network might only have 1 IP it shows to the outside world then only 1 person on that network can vote (this would for example be a problem if your site attracted people from schools, universities etc)
somewhat similar thread
if ($voted == "yes"){
$_SESSION[voted] = "yes"
#redirect to error message or "you already voted page"
}
else{
if($_SESSION[voted] != "yes")
#continue as normal
}
This will lock out users who have voted for the duration of a session set in PHP.ini. Its not elaborate (what happens in the case of session ids in the URL etc), but its an immediate way to solve your problem.
Exactly, using sessions will depend on the duration and although you can set that, I doubt it’s desirable to lock voting to the session. I think [fphp]setcookie[/fphp] is really a better way.
Cookies are the easiest and most used way of tracking votes and keeping someone from voting twice. The main problem with cookies is that they of course can be easily cleared so voter fraud can definitely still happen. The most secure way of setting up a voting system that I have found is storing the users IP in a database after they vote.
IP’s can be changed easily as well 
It’s been discussed a lot here and there, but… The problem about limiting IP is that the IP is still subject to change and you may limit one vote for local networks. So cookies are better in this prospect.
Of course, but they are a more unique identifier and “joe user” most likely won’t change his IP or go through a proxy to vote twice on a poll. Nothing is fail safe, but storing the IP is more secure than relying on cookies or sessions.
Hm, I don’t agree. Joe can have a dial-up connection, the IP changes every time he connects. Furthermore, local networks are under one IP, you limit one vote per network. So I don’t think it is worth to prevent some users from voting at all because of perhaps a harder way to make a multiple vote.
My original statement was very clear. Cookies are the easiest and most used method. I thought it would be good to propose an alternative method as well which really there are very few, cookies, sessions or some sort of unique identifyer tracking.
Your example of a dial-up user is correct, but with that you get into target user demographics and determining which approach is best for this situation. If his main user base is US or UK traffic with a primarily younger/tech savey group, then it is reasonable to assume about 80% of his traffic is on a high-speed connection. Do you code for the majority or minority? Those are questions that would have to be answered by the project leader.
Really, this is only my 3rd post on these forums and I have no desire to prove myself to you. I proposed a solution based on my experiences and what had already been posted.
kind regards,
Chris
There’s no reason you can’t employ a combination of cookie and IP checks.
Frankly if you allow anonymous voting, accuracy shouldn’t be relied upon. Aside from a simple block for Average Joe to mainly prevent mistakes on his part.
Thanks all for your help. I have decided to go with the simple php session option. If they come back and vote again I dont mind. I just dont want someone voting 1000 times at once.
Thanks again
I’m sorry if my posts appeared offensive, that was not my intent. Limiting IP is of course one of the ways to solve this problem, however there are flaws that I wanted to point out.
The changing IP is the least problem. What I was trying to emphasize is the risk of limiting votes for local networks, which in turn of course has ways to be solved.
My intent was actually to add to your post by pointing out the possible troubles that you may encounter using the method. It didn’t work out quite well, eh?
Sorry for so not very warm welcome, but enjoy your time in the forums. 
Maybe you can allow a IP to vote more then once… but have a cookie check it also, or something of this sort.
I wouldn’t use IPs if I were you. Imagine this: a company of 10,000 employees behind one proxy server. The result: one person votes and you lock out 9,999 others.
Cookies will stop a casual user, but if you know what you are doing (like if you know anything about web programming/design or are just computer smart) it will be really easy to get around. There’s not much you can do th stop people from voting twice. You could use email validation but it would be so annying most people wouldn’t vote. And even that would be vulnerable to people using disposable emails, temporary address services, spam@mydomain.com accounts or free accounts. I don’t think there’s a way to compleetly prevent anyone from voting twice, but there’s always cookies, which would be a good solution to stop a casual user.
–superuser2
If a hacker can vote twice, they could just as easily create a program to vote as quickly as their connection allows them. If you use simple session cookies and no IP checking, someone with only basic skills in internet programming would be able to create such a program in under two hours. Of course, you may be thinking that your audience doesn’t include these types of people. However, if you allow something like this to be possible, it only takes one person to throw off your entire results.
I don’t mean to scare you with this; just something else to think about with your system. Regardless, be aware that any anonymous voting system can never be trusted.