Cookie Protection Vs IP Protection

ollmorris

In my poll script I have already built in IP Protection but is it worth building in cookie protection. I am in two minds as to whether it is worth doing since a clever user could delete the cookie or use a proxy server to vote multiple times.

Is there any other protection method I have missed?

Thanks
Oli

solodesignz

What about multiple users behind a router/switch w/ the same IP? Only one user would beable to vote. There coule be houndreds of lost votes, if 100 people voted behind a switch

I dont know the "correct" way to do it, but a quick solution.. I would collect some information about the computer that is visiting the site, as much as PHP would allow, then store that information... and check it when another person trys to vote, if it is different, allow it.

ollmorris

Thats a good point solodesignz! But with something like collecting information about the user, what happens if they upgrade their OS or change their browser.

drew010

cookie protection doesnt matter too much, if a person were to write a script to do it they wouldnt even make it handle cookies. ip protection is good but these days it does always have the drawback of people sharing an ip. you could maybe limit ip's to only voting every x hours or something. as far as checking a proxy, there are certain headers many proxy servers send, which you could try to detect and deny a vote if one of the headers are sent.

some may include:
$SERVER['HTTP_X_FORWARDED_FOR'];
$SERVER['HTTP_VIA'];
$SERVER['HTTP_PROXY_CONNECTION'];
$SERVER['HTTP_FORWARDED'];

another small trick you could use is to ensure that a user agent is sent. this way if people write scripts and dont think to send a user agent, you can deny the vote but not say thats why and IF they figure it out they will spend a while on it.

solodesignz

Well depends on how strict you want your poll to be...
I really doubt anyone will be that crazy, or put in the time to change their OS or browsers to vote a million times

It might let in a couple extra votes... But that might be ok... depends on what your poll is for...

ollmorris

Good thinking both of you! I have come to the conclusion that I will use a combination of IP protection, cookie protection and headers and such like. I won't rely on any singularly since that would reduce my chance of blocking the user.

Thanks for all your help. I have some planning to do :-)

solodesignz

Personally I wouldnt use the cookies, thats probably the easiest thing for them to erase.. So if that was erased it would look like another unique user.

I would use information that was a bit harder to change