Prevent Visitors from Voting again

Question

Orginal Question

I want to implement a voting system on my page that is open to visitors and users i.e. non-authenticated users can vote.

Is there a rails/rack (or other) solution to identify visitors for this purpose?

Summary/Result:

If you want to implement a system where a visitor can take a certain action only once, i.e. a voting system. You have to divide your visitors into two groups:

Visitors that don't want to/don't have the tools to trick voting

Visitors that don't manipulate the result can be tracked using techniques such as: evercookie, Webbrowser Fingerprinting (panopticklick) and IP-Blocking.

Gems:

JS:

https://github.com/carlo/jquery-browser-fingerprint

Paid-Services:

http://threatmetrix.com

Visitors that want and can trick voting

Visitors that want to manipulate the result will and can do this. Here's a example. You can set the barrier high for those visitors, but its usually easier for them to bypass those than for you to implement them. The reasons for this are perfectly outlined by the answers to this question.

curiousguy · Accepted Answer

Client software identification

Web browser fingerprinting

panopticklick only identify browser configuration, not human beings. Just using a different browser (IE/FF/Opera/Chrome) on the same computer, using the same browser on a different user account on the same computer (different set of installed plug-ins, so different browser fingerprint) or using a different computer will "fool" panopticklick.

This is not a weakness of panopticklick, as panopticklick does not try to identify human beings, only Web browsers.

"Private browsing mode" should make the browser fingerprint less unique.

Cookies

evercookie, just like any sort of cookie, is specific to a user account (or a computer) : just using a different account or a different computer would give you a different identity. (Different users cannot access each other cookies because of file permissions.)

"Private browsing mode", if implemented properly, will clear all cookies, including "super cookies".

IP address

Changing IP address

Some subscribers have :

a fixed IP address;
an IP address which changes rarely;
an IP address which changes if they unplug their modem for hour, days, or weeks;
an IP address which changes almost every time they reboot their modem;
an IP address which changes every 24 h, even if they do not want that (as the IP address change will break TCP connexions).

This is not made-up. I know ISP with all these different IP allocation policies. I have no statistics about the number of users in these different categories, however.

Some ISP will make you pay just to have a fixed IP address. So I believe a changing IP address is pretty much the norm in practice for most Internet users.

Proxies

Using an anonymous proxy (including Tor) will give a different IP address, just as a VPN.

But all the proxy users (or all users of a Tor exit node) will probably have the same IP address.

Shared IP address

In almost all cases, family members will share an IP address.

Most small/medium businesses have only one outside address. This has been a problem in practice with per-IP anti-spam limit for webmails.

Almost all mobile IP users share the same IP address with a few or a lot of other users. This has been a problem in practice with per-IP anti-DOS limit! The server administrator had to list outgoing IP addresses and white-list them! Whenever the mobile ISP uses a new outgoing IP address, its clients are blocked again until the server administrator adds the new IP address.

You probably do not want to play this "game".