Protecting Duplicate Votes

cauchyResidue

Hello gang,

I searched this forum on this subject and found a thread submitted by examiz on 19Apr2004 about how to protect a site from having a particular user answer the same poll question more than once. Cookies and IP tracking were both mentioned as solutions with their associated shortcomings. One poster suggested having voters register and then sign-in to vote, but that was unacceptable in the interests of site user friendliness and convenience.

That thread was written over a year ago and I would like to know if there exist any new techniques that can help prevent a user from, say, voting multiple times on a particular object (be it a poll question, rating a picture, etc).

Please advise. Thank you.

-cR

Kudose

Nope. If you don't want users to log in, then you're only option is a cookie. But ... the cookie can be deleted and then the user can vote again.

cauchyResidue

That's all I needed to hear. Thanks a whole bunch Kudose.

Regards,
-cR

hyd_guy

hi kudose, well, cookies n IP tracking is the only way. but as u said, cookie can be deleted and post opinion once again. when its IP tracking, in this also, there is a chance for the ones who are using dynamic IPs..! so what next???? both are not significant. But what if by tracking MAC address (said to be almost unique) and allowing user to post opinion?? well, am not sure how to track MAC address in PHP. But, if there is a way to track it, almost we can avoid voting a user twice. but last but not least......hehe, even if u track IP or MAC or COOKIE, what if a system is used by more than one and all of them willing to vote???!!!!???? lol

Kudose, do u have anyway to track MAC address?

thx n bye

Kudose

I am sure you can, but you might need a more lower level language to do so, like C++. You would have to strip off all of the unneeded headers and trailers until you get to the data link frames (Destination and Source MAC addresses) and I don't think PHP is capable of this.

I could be wrong on PHP capabilities though.

MAC addresses are not always unique either, and can sometimes be changed in the OS. They only have to be unique when operating within the same network. Once you choose a transport layer protocol, then MAC addresses no longer matter due to encapsulation of the frame into the packet.

cauchyResidue

Thanks for the great ideas. But the very open nature of the Internet coupled with the anonymity of the Web makes it theoretically impossible to find a reasonable solution to this problem. Cookies can be deleted, IP and MAC addresses can both be spoofed by even an amateur hacker. But even if they were secure, it would prevent multiple honest users who use the same system to vote legitimately.

I might have to resort to having voters register with the site in order to take the poll. This way their login information is stored in the database so their votes can be kept track of. This is by no means a perfect solution considering the likes of hotmail, yahoo, gmail, and other free email providers, but at least it makes it a pain in the neck for dishonest users to duplicate votes - at the very least it makes it less convenient than deleting cookies or spoofing IP addresses. Perhaps a combination of registration with cookies and IP addresses will do the trick.

Regards,
-cR

hyd_guy

Well, thx guys....kudose, i am sure there is a way in php to tack MAC address. And this is the only way to avoid duplicate votes or to give access to particular system. And if i am not wrong, MAC address are 99.99999999999999% are unique. kudose, why dont we do some R&D to find thru PHP or Javascript? let us try....

thx n bye all

SargeZT

It's nearly impossible to get a MAC address from a client. MAC addresses are Layer 2, which map to Layer 3 IP's. Javascript is not tangible to get a MAC address, as it has restricted access. Java and ActiveX would be realistically the only two options to get a MAC from a computer.

Kudose

You can write a program to break down the packets into frames and extract the MAC addresses with C++. It is possible. I just don't know how to write the program.

hyd_guy

SargeZT ....... u r mistaken boss, dont say impossible....there is a solution...bets...client MAC can be traced....bye

SargeZT

hyd_guy, MAC addresses are not transmitted in a normal TCP/IP transaction, that's simply the way it is. Unless you can some how intercept some packets that are sent to the router/switch/modem/ISP, there is no MAC address present in any packets that you receive. At least in TCP/IP. I'm sure there is some screwed up protocol that uses MAC addresses as a personal identifier in Layer 3 communications, but none that I know of.

Kudose, that program is actually fairly easy to make. But, it only works across LANs, not WANs. I could, of course, be horribly mistaken, but I'm fairly sure that there is no server side ability to detect MAC addresses.

To prove this, here is a captured packet from Yahoo. (I've eliminated some unimportant data simply to not make it egregiously long.) This is from Ethereal:

Frame 3 (62 Bytes on wire, 62 bytes captures)
Frame Number: 3
Packet Length: 62 bytes

Ethernet II, Src Foxconn_a0:3f:63 (00:01:6c:a0:3f:63), Dst: Cisco-Li_ac:b7:39 (00:0f:66:ac:b7:39)
Source: Foxconn_a0:3f:63 (00:01:6c:a0:3f:63)

Internet Protocol, Src: 10.0.0.107 (10.0.0.107)
Version: 4

I'll skip the rest, but it's abunduntly obvious that the MAC address is not sent over TCP/IP. Sorry.

And, one last thing, even if you could restrict by MAC address, you'd block all users behind one given router/switch, as the MAC address represented would be that of the router/switch, not of the unique computer.

By the way, don't presume to know I'm incorrect. You're working off of assumptions, I'm working off of knowledge.

hyd_guy

Well, lemee try and give you the solution to you guyz.....bye

Roger_Ramjet

MAC addresses only work within the same sub-net. As soon as you hit a switch or a router the MAC will change.

Do modems have MAC addies?? Not sure I've ever come across one. There is/was no AT command to access it and I'm sure there would have been if it were there.

Cookies are OK for 95% of internet users - they have no idea what they are and are only likely to delete them by accident. We know about them cos we web program and tend to forget that most users know nothing about the technology.

Weedpacket

And if all else fails, I can just wander into my local Internet Cafe and vote again from there. 🙂