With things like AOL and other proxies… how useful is IP Address in figuring out duplicate votes/comments/etc… ?

I'm playing around with my voting control and I was thinking of (in addition to a cookie based check) querying to see how recently this IP address had tried voting and if it was within 'x' seconds, rejecting the vote...

Something more extreme, like rejecting any second vote from the same IP seems wrong, since multiple people could be coming in through the same IP.. in fact, you have to assume that is likely over time...

What do you folks think? Is a time-limit per IP address reasonable, or will that produce 'odd' behaviour for corporate and large ISP users?

Comments (13)

  1. Dylan Lewis says:

    Why not tie it to IP and User Session, that way you are more likely to exclude the same person.

  2. Sushant Bhatia says:

    Ahh but what if you close IE…what happens to the user session.

    Duncan, I was thinking about IP and was gonna suggest it in my first email to you…however, I dont think IP is a good way to exclude because first you have to keep track of it, second, you have the problem of many ppl from 1 IP (say behind a router).

    It would be better to use tokens. For instance, say there could be up to 20 ppl at max behind a router. Then set a token for each time they vote. Now if they go more than 20, well block them from voting for 1 hr or until the cookie expires.

    Its like the token voting system. You are handed a token and you vote with that token. If you use up all your tokens, then you cant vote anymore. That way you say that all IP’s have 20 votes and you can vote 20 times. This takes care of those ppl behind routers and the ones who are not.

    On Second thought, I dont like this idea.

  3. Duncan,

    ip is a bad choice for stuff like that. not only are different people using the same ip over time (which happens when they connect through any dial-up service or any suchlike serice). there are even different people using the same ip at the same time. (this happens where people connect though a common gateway using nat. this is a common setup.)

    i don’t think there is a practical way to ensure ‘reliable’ results in votes like that besides trusting the voters.


    thomas woelfer

  4. AT says:

    Another problem – instead of real people behind router and proxy – it’s possible to send forged HTTP requests with Via: and X-Forwarded-For: fields set.

    You can send as many as you wish requests with X-Forwarded-For: 10.x.x.x range.

    16581375 requests with different IPs in X-Forwarded-For: can solve Florida recount problems… ;o)

  5. Michael Byrne says:

    Its not a solution due to the uncertainty of the results. Instead of results they become educated guesses or estimates if valid votes may be dismissed due to rule confines.

    I believe th thinking should become more creative.

    Can a second piece of information be taken with the ip address, something unique like the hardware address.

  6. Young Joo says:

    As I wrote on <a href="http://blogs.dreamfirst.com/youngj/archive/0001/01/01/175.aspx">my blog</a>, the only way to ensure a unique vote with 100% confidence is to ask users to explicitly provide identification information. If it’s crucial to ensure that only one vote is casted by each person (not a PC), then you will need to build in some more security in place. Perhaps an email campaign with uniqueID could be sent to users and expire each ID once a vote has been casted? Or require users to login?

    If you are trying to build a solution generic enough to be used by many different systems, then you will never get 100% guarantee.

  7. drebin says:

    I think for this style of voting, just saving a cookie is probably fine – yes they can get rid of a cookie, but that’s about as reasonable as it gets if you ask me.

    Unless you required everyone to have client certificates for authentication – if people want to "mess" with the vote, they can.. it’s the nature of the beast – you’re dealing with a planet full of un-authenticated users.

  8. Carl B says:

    Session is no help, cookies doesn’t do much either. Using IP only is a poor option, especially with proxies and forged packets… However, I still think it’s better thank nothing. Most web sites I visit (if not all) let you vote based on your user account with the site (although one can setup multiple accounts from multiple free email accouts, but it’s starting to take up lots of time for a few votes). Keeping track of votes like that only keeps honest people honest at best…

  9. Carl B says:

    Actually, I forgot to add, about multiple computers sharing the same IPs, I just learned lately that one of the major DSL providers here in Canada has lots and lots of people behind the same IPs (that’s how they do it here at least, thousands of comptuters behind NAT sharing the one IP), and at work I’m on a huge country wide corporate network of more than 25k workstations coming off the same internet feed…

  10. Duncan Mackenzie from Microsoft posted a question about the usefulness of client IP addresses for identifying…

  11. Duncan Mackenzie from Microsoft posted a question about the usefulness of client IP addresses for identifying…

Skip to main content