I've been reading up on stackoverflow about creating voting systems in PHP that minimize abuse/multiple voting from the same user, but I haven't come across the answer to my question.
I've got an application where users don't need to register to vote or "like" an entry. Obviously, I want to minimize abuse and I don't want to limit votes per IP address because some organisations (mine included) use shared IP addresses.
I've never used sessions in a non-authenticated system before, but since this application is centered around entry votes (used for purely 开发者_开发问答entertainment value, but I'd still like to minimize abuse) I was wondering if this approach would work and whether there were any disadvantages such as performance implications, and whether it's even possible to use sessions in this way:
- start a session when the website is loaded
- allow one vote per item per session
If this is a bad idea, my alternative options would be to allow a reasonable number of votes per IP address (say 25), or put a time limit between votes from the same IP address.
What do you guys recommend/what do you think would be most annoying for a user? Restarting a browser, waiting 5 minutes between votes or clearing cookies?
There is really no way to make a "serious" voting system without user authentication, all other options have flaws:
- sessions end when you close the browser, so just reopen it and you'r fresh
- cookies are your best shot, but they can be cleared or even refused
- ip addresses are unreliable and/or not applicable
Only session is bad idea, because if you close the browser and come again you will be able to vote. You can use session as "help". The best option is to use ip limiting. Also you can use cookies, but it is again just a "helper", because you can clean cookies from browser. I suggest you use ip limiting like you said, one ip can vote 25 times and use cookies to limit a computer from voting more than once. So if a user want to vote more than one time, he can delete a cookie, but he won't be able to vote more than 25 times.
I agree with kemp that cookies is the best choice. Furthermore, sessions also use cookies - the difference is that session cookie is deleted when browser is closed, "simple" cookie - when it expires, which is "better" in this case.
If talking about IP addresses, users can use proxies to bypass "IP filtering".
When voting finishes, someone might go through results to see if there's anything suspicious (like 100 votes from single IP in 5 minutes) - that would help getting more truthful results.
You could use both cookies and a server cache mechanism like apc/memcached. Store vote results in the cookie and in the apc cache using the same key / cookie name, and check for the existence of both. If the cookie is deleted but the apc key still exists then you know someone is attempting to re-vote, and you could just reset the cookie and increase the lifetime of the apc cache value.
It's not bullet proof, but in the absence of a database i think it's a good solution. Keep in mind that if the server runs out of ram it will flush the apc cache.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论