With things like AOL and other proxies... how useful is IP Address in figuring out duplicate votes/comments/etc... ?
I'm playing around with my voting control and I was thinking of (in addition to a cookie based check) querying to see how recently this IP address had tried voting and if it was within 'x' seconds, rejecting the vote...
Something more extreme, like rejecting any second vote from the same IP seems wrong, since multiple people could be coming in through the same IP.. in fact, you have to assume that is likely over time...
What do you folks think? Is a time-limit per IP address reasonable, or will that produce 'odd' behaviour for corporate and large ISP users?
Comments
- Anonymous
July 27, 2004
Why not tie it to IP and User Session, that way you are more likely to exclude the same person. - Anonymous
July 27, 2004
The comment has been removed - Anonymous
July 27, 2004
Duncan,
ip is a bad choice for stuff like that. not only are different people using the same ip over time (which happens when they connect through any dial-up service or any suchlike serice). there are even different people using the same ip at the same time. (this happens where people connect though a common gateway using nat. this is a common setup.)
i don't think there is a practical way to ensure 'reliable' results in votes like that besides trusting the voters.
WM_MY0.02$
thomas woelfer - Anonymous
July 27, 2004
Another problem - instead of real people behind router and proxy - it's possible to send forged HTTP requests with Via: and X-Forwarded-For: fields set.
You can send as many as you wish requests with X-Forwarded-For: 10.x.x.x range.
16581375 requests with different IPs in X-Forwarded-For: can solve Florida recount problems... ;o) - Anonymous
July 27, 2004
Its not a solution due to the uncertainty of the results. Instead of results they become educated guesses or estimates if valid votes may be dismissed due to rule confines.
I believe th thinking should become more creative.
Can a second piece of information be taken with the ip address, something unique like the hardware address. - Anonymous
July 27, 2004
As I wrote on <a href="http://blogs.dreamfirst.com/youngj/archive/0001/01/01/175.aspx">my blog</a>, the only way to ensure a unique vote with 100% confidence is to ask users to explicitly provide identification information. If it's crucial to ensure that only one vote is casted by each person (not a PC), then you will need to build in some more security in place. Perhaps an email campaign with uniqueID could be sent to users and expire each ID once a vote has been casted? Or require users to login?
If you are trying to build a solution generic enough to be used by many different systems, then you will never get 100% guarantee. - Anonymous
July 27, 2004
I think for this style of voting, just saving a cookie is probably fine - yes they can get rid of a cookie, but that's about as reasonable as it gets if you ask me.
Unless you required everyone to have client certificates for authentication - if people want to "mess" with the vote, they can.. it's the nature of the beast - you're dealing with a planet full of un-authenticated users. - Anonymous
August 19, 2004
Session is no help, cookies doesn't do much either. Using IP only is a poor option, especially with proxies and forged packets... However, I still think it's better thank nothing. Most web sites I visit (if not all) let you vote based on your user account with the site (although one can setup multiple accounts from multiple free email accouts, but it's starting to take up lots of time for a few votes). Keeping track of votes like that only keeps honest people honest at best... - Anonymous
August 19, 2004
The comment has been removed - Anonymous
March 30, 2006
Duncan Mackenzie from Microsoft posted a question about the usefulness of client IP addresses for identifying... - Anonymous
March 31, 2006
Duncan Mackenzie from Microsoft posted a question about the usefulness of client IP addresses for identifying...