CODEWITHSUNDEEP
phpsecuritysessionipvoting-system
abhisek
abhisek

Reputation: 952

Restrict User Activity Based on IP or on Cookie?

I am working on a PHP script that allows users to vote on certain items. Any user whether logged in or not can vote. Consider the following cases:

  1. If the user is logged in, I can log user's id, and can restrict voting on the same item if he tries to vote again.
  2. If the user is not logged in, I can log user's IP, and restrict voting on the same item, from the same IP.

If it's the first case, there's no need to log the IP. Now, the second case is driving me nuts, sort of. I was wondering that it may happen that the user may be changing IP, and then votes again on the same item. Now, even if I use Cookies or Session vars, it may also happen that the user is starting a new session (or has deleted the cookies) to vote on the same item again.

Am I missing something? If not, how to handle such situations? Any thoughts?

Upvotes: 4

Views: 2312

Answers (3)

German Rumm
German Rumm

Reputation: 5832

You can try using evercookie, it's kinda difficult to clear

Upvotes: 1

Wilhelm Murdoch
Wilhelm Murdoch

Reputation: 1816

First off, there are a few ways to grab a client's IP address using PHP. Here are 3 methods that I know of:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if (isset($_SERVER['HTTP_CLIENT_IP'])) {
    $ipAddress = $_SERVER['HTTP_CLIENT_IP'];
} else if (isset($_SERVER['REMOTE_ADDR'])) {
    $ipAddress = $_SERVER['REMOTE_ADDR'];
}

Second, if you're worried about volatile storage, such as cookies or sessions, it may be best to have a database table which stores these values. It could be a simple table with 3 columns: client_ip, item_id and date_created. This would allow you to track whether a specific ip address was used to vote for a certain item.

Now, the only problem I see with this is if the client is at work and sitting behind a proxy. So, I guess you have a few options, each with their own pros and cons.

Upvotes: 2

rook
rook

Reputation: 67029

I would seriously consider use a Captcha, reCaptcha is a good choice.

You could restrict by IP address, but its possible for a number of people to share 1 ip address, such as a small school or business. Its also trivial to bypass because proxies are free and plentiful. Its also error prone because sometimes a load balancer will change the IP address during a session. If you really want to limit the number of vote per person your best bet is to require them to login to a user account and store the votes in your database.

Upvotes: 6

Related Questions