Chromana wrote:Hi all.
I want to make a website where anyone can vote on a certain topic (I won't go into what it actually is). I don't want users to have to create accounts as that is always so annoying.
What precautions could/should I take to ensure the least amount of hacking/cheating on the results?
What sort of cheating are you worried about? Casual double-voting (the guy who votes, then clicks "back" and votes again), or organized ballot-stuffing efforts (people who use computer programs, open proxies, and other tools to automate the ballot-stuffing process)? What tradeoff between preventing attacks and discouraging honest voters are you willing to make?
Set up cookies and HTML5 web storage on user's computer
This will greatly reduce casual attacks (you need a separate browser/computer to vote again), but will do nothing to stop dedicated attacks. It will have no effect on honest voters.
Store IPs in MySQL
This will slow dedicated attacks and almost totally stop casual attacks, but will also prevent honest voters behind proxies/NAT from voting.
This will slow dedicated attacks, while having less of an impact on casual attacks (answering a CAPTCHA twice is no big deal, answering it a thousand times is). It will also annoy honest voters and prevent some of them from voting.
Require email addresses and then they need to click a link which is emailed to them
This will do nothing to stop dedicated attacks, but will greatly discourage casual attacks. It will also greatly discourage honest voters.
Randomising the position of elements on the page and randomising the IDs and classes of elements
This will slow dedicated attacks until they figure out where you're storing the ID mappings. It will do nothing to stop casual attacks. It may cause problems for honest voters using screen-readers or other assistive devices if implemented poorly.