Identifying the same user across multiple browsers/ISP connections

Question

I run a film festival website which accepts ratings on films and I'm concerned with stopping people cheating the system (i.e. submitting multiple ratings to fix the top ten list).

I've used techniques like IP address and browser stamp checking but I'm aware some people are trying to cheat the system by changing ISP connection or browser.

What techniques, if any, do people use to identify the same user across multiple browsers and potentially different IP addresses (i.e. different ISP connections)?

I'm not expecting this to be foolproof, just trying to get the checking as good as I can get it to dissuade casual offenders.

Answer 1

You should use Flash/flex for this.

1. It's storage is a bit hard to clean (have to delete some files in crazy places on the system.
2. If done correctly it may be hard to be discovered by the end user that actually the flash is casting the vote.
3. It is the same plugin and the same data all over user's system

Of course if there is no flash support you could always degrade to registration/cookies system with ugly captcha.

Answer 2

The best way is to force people to login before they can rate something, and then you can limit votes by user. Use cookies in addition to this to deter people from creating multiple accounts just to vote more than once and that should stop most offenders.

If you find that people ARE creating multiple accounts to vote more than once, I would then implement a timer that only lets a new account be created from the same IP every x minutes. They could still game the system, but they could skew the results much less that way.