What's a good method for stoping cheating in web polls?
Can't do IP only, since AOL, MSN, and others use web proxies, thus potentially blocking millions...
Cookies can be deleted...
what's a good solution?

Well, you could require a login (with email verification) and let each account only vote once.. Of course, this would in no way prevent cheating, but it would make it more difficult.. a user would have to go through the registration process multiple times. Furthermore, to prevent automation of registering, you can supply a picture with a word in it, and ask the user to type that word in.. I think yahoo and some other places do that.

In short, I don't believe there are guaranteed methods of preventing cheating.

You could use cookies, but then I'd have to kill you. And besides, that doesn't insure that they only vote once anyway.

You can never completely prevent cheating in web polls. For that matter, you can never completely prevent cheating in any poll. You can only make it very difficult to cheat in a poll, and thus, hopefully, deter anyone from cheating in a poll.

Hmm. I think I disagree with sans-hubris, but for a really cheat-proof poll you're going to have to put up some restrictions; specifically, you'll have to limit poll votes to be, say, within 60 seconds of the time you've sent the page to the client.

When someone downloads a page containing a poll, give them a cookie with some random "seed" in it -- something like 32 bytes of randomness (hex-encoded, so it'll be a 64 byte string). Prepend the "seconds since epoch" integer to that string.

Then, on the <input> tag (iirc my HTML, that's what's used when someone picks a poll option and make the link to a CGI with a parameter of some other string determined in a cryptographically secure way from the string you put in the cookie; basically, take the seed from the cookie, prepend something secret to it (just some password known only to the CGI that handles the poll votes). So if your password is "pa55w0rd", you'll prepend that to the string in the cookie and make the parameter to the CGI that handles poll results be the MD5 hash of that string.

When the CGI gets a request on the vote, it gets the seed from the cookie and checks the first 10 digits (that's the length of a "seconds since epoch" string these days) to see that the time encoded is within the past expiration period (that is, "seconds since epoch" now is not more than, say, 60 seconds later than "seconds since epoch" on the cookie). If the cookie was given within the expiration period, then the CGI prepends its secret to the seed from the cookie, hashes the resulting string, and checks to make sure that the parameter it was passed matches this hash. If so, then the vote is a valid vote and its result can be added to the tally. If the hash doesn't match, then it was altered and you know someone's trying to cheat. You can send the FBI whenever you want.

Now, to stop repeat voting, you

----

The previous stuff is included simply for the archive, and since I spent a lot of time writing it.

It's not right, though, and I now think I might agree with sans-hubris. But here's what I thought of until I agreed.

Jeremy

The only thing that I could think of to help reduce cheators would be to require some sort of identification, such as a SSN, driver's license number, credit card number, or any other such identification, and check the name against it in the respective database. Of course, then you need to deal with privacy issues, and something like this should used sparringly.

Of course, even that doesn't prevent cheating since identity theft is so rampant these days.

Originally posted by jemfinch
Hmm. I think I disagree with sans-hubris, but for a really cheat-proof poll you're going to have to put up some restrictions; specifically, you'll have to limit poll votes to be, say, within 60 seconds of the time you've sent the page to the client.

When someone downloads a page containing a poll, give them a cookie with some random "seed" in it -- something like 32 bytes of randomness (hex-encoded, so it'll be a 64 byte string). Prepend the "seconds since epoch" integer to that string.

Then, on the <input> tag (iirc my HTML, that's what's used when someone picks a poll option and make the link to a CGI with a parameter of some other string determined in a cryptographically secure way from the string you put in the cookie; basically, take the seed from the cookie, prepend something secret to it (just some password known only to the CGI that handles the poll votes). So if your password is "pa55w0rd", you'll prepend that to the string in the cookie and make the parameter to the CGI that handles poll results be the MD5 hash of that string.

When the CGI gets a request on the vote, it gets the seed from the cookie and checks the first 10 digits (that's the length of a "seconds since epoch" string these days) to see that the time encoded is within the past expiration period (that is, "seconds since epoch" now is not more than, say, 60 seconds later than "seconds since epoch" on the cookie). If the cookie was given within the expiration period, then the CGI prepends its secret to the seed from the cookie, hashes the resulting string, and checks to make sure that the parameter it was passed matches this hash. If so, then the vote is a valid vote and its result can be added to the tally. If the hash doesn't match, then it was altered and you know someone's trying to cheat. You can send the FBI whenever you want.

Now, to stop repeat voting, you

----

The previous stuff is included simply for the archive, and since I spent a lot of time writing it.

It's not right, though, and I now think I might agree with sans-hubris. But here's what I thought of until I agreed.

Jeremy

You're crazy.


(and that still doesn't fix the delete-cookie-and-vote-again method)

Even if you couldn't delete cookies, you could go to another public computer and vote.

Originally posted by Bradmont


You're crazy.


(and that still doesn't fix the delete-cookie-and-vote-again method)

Why am I crazy? :)

Keep in mind, I'm the same person who's developed a secure authentication method for an IRC bot so a person can authenticate and not send their password over the network in plaintext :)

It doesn't fix the "vote again" problem, no matter what you do with the cookie. I couldn't think of a good way to fix that, but instead of just trashing my post, I figured I'd post it as an example of my thought process (as if anyone was ever interested in that!) for posterity's sake.

I'm still chugging on it, though, I'm pretty sure I'll think up a method somehow :)

Jeremy

I'm pretty sure you won't, jemfinch. What he's asking for is pretty much impossible.

Jemfinch's method is very complex and somewhat ineffective. It basically prevents the user from continuing to submit the same poll page after $x seconds elapse, but will let them submit it as many times as they want beforehand.

A better implementation of his functionality would be to generate sequential (or random, but unique (or just random, it's not like 1 collision every 4 billion generations matters)) IDs and store them in a database along with a timestamp. When a vote is submitted, check the ID: if it's in the database, delete it from the database and record the vote. Otherwise, discard the vote. Then just add a cron script to clean up IDs more than an hour old every hour. This will allow the page to be submitted exactly once.

However, this doesn't solve anything, and basically you can't prevent users from voting multiple times. All you can do is make voting take enough time that stuffing the ballot box isn't worth the effort. The simplest effective way to do this would be via one of those images with letters/numbers in them that the user must type into a box. This prevents automation and forces users to take several seconds per submission.

Of course, this is really silly on your run of the mill "whut flavur of ice creme do u like best??" poll, and will dissuade users from voting. A more transparent method of roughly equivalent effectiveness would be to write a tool that looks at logs and picks out streaks of the same IP voting for an option over and over again in a limited period of time and then reduces the vote count appropriately. However, this is a much more complex undertaking, and involves various heuristics which would be a pain in the ass to calibrate.

Essentially, you can not prevent people from voting twice. You can prevent IPs from voting twice, you can prevent users from holding the 'return' key on your poll page to submit over and over again, you can prevent users from writing a script to automate submissions, you can prevent people from voting over and over again in a short period of time, you can eliminate flagrant abuses from the record, or you can implement any combination of these blocks. It's just a matter of how much time you care to spend making sure no one votes for "chocolate" too many times.

Make them insert their e-mail address, home address, credit card number, social security number, and a bunch of other crap!

Originally posted by phubuh
Make them insert their e-mail address, home address, credit card number, social security number, and a bunch of other crap!

This is no good unless you can verify the information. You can't verify home address, CCN's and SSN's are a bit of a stretch, and there are few other personal identifiers.

Email is okay, except that you have to set up an email verification system which will reduce the number of people willing to vote in your poll, and it's easy to obtain an arbitrarily large number of email addresses: if you control a server, you can set any invalid address to forward to "invalid@your-server.com" or whatever. You could even automate the process by having a bot submit a large number of polls with various @your-server.com addresses, check the 'invalid' account, and "click" the links.

Recommend a website http://www.7vote.com/ ,it provide automatic voting software design service to implement automatic voting and poll increasing without human attendance. The voting software developed by us adopts intelligent identification technique, which is not limited by any IP, identifying code and so on. The website provides free download of voting software, vote cheating software and so on.

to found more software,you can search keywords such as:Automatic voting software|poll increaser|voting software download-automatic voting software website,automatic voting software|automatic voting software download| free automatic voting software,online automatic voter|automatic voting tool|automatic voting program|vote cheating software,automatic voting|automatic voting software|poll software|automatic voting software website

Recommend a website http://www.518bb.com/index.html ,it provide online automatic voterservice to implement auto

vote by computer and poll increasing without human attendance. The software for a voting poll developed by us adopts intelligent

identification technique, which is not limited by any IP, identifying code and so on. The website provides automatic website voter,

auto vote software and so on.

to found more software,you can search keywords such as: http://www.518bb.com/index.html , online automatic voting

software,automatic website voting program, online automatic voting software, online automatic voter, auto vote, cheating votes ,how

to cheat online vote, auto voting program , automatic vote, free program for auto vote ,website voting software ,automatic

poll,auto voting software ,automatic voting website,auto voting ,do automated voting,voting software online