Track unique IP Address

[glenh]

I have a web app that is running a photo competition. Basically any
user should be able to vote on a photo with a rating between 1 and 5.
At the end of the competition the photo with the highest average
rating wins the competition.

To make things fair we would like to restrict a user from only voting
on any one photo only once. However to encourage voting we dont want
to have to force users to register/signup. So we thought perhaps that
we could track IP Addresses as well as user ids against photos.

So I would just like to know what sort of implications may arise with
tracking IP Addresses. The obvious one that comes to mind is IP
spoofing. But Im not quite sure what happens with dynamic IP
addresses? Does this mean anyone without a shared IP address will
come on with a different IP Address? What about proxy servers?

There will obviously be other measures in place to ensure that rigging
of votes will be kept to a minimum.

I thank anyone that can help shed any light on this and if they think
this is actually viable?

 

[Juan T. Llibre]

As Mark pointed out, IP addresses are pretty much useless
for keeping track of who visited your site and who did not.

You can either force people to register and login, as Mark suggested,
or issue a cookie after the user has voted, flagging that the user has voted,
so that later checks are made possible, or do both.

Forcing people to register has the disadvantage of probably reducing participation.
I generally vote at sites that don't require registration, but will walk away if registration is needed.

Issuing cookies is a simple way to keep track of who voted and who did not.

Of course, you will always have a very low percentage of people who will try to cheat by erasing
the cookie and voting again, but I suspect that their impact would be negligible on the results.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================

 

[Hans Kesting]

glenh brought next idea :

So I would just like to know what sort of implications may arise with
tracking IP Addresses. The obvious one that comes to mind is IP
spoofing. But Im not quite sure what happens with dynamic IP
addresses? Does this mean anyone without a shared IP address will
come on with a different IP Address? What about proxy servers?

We had a customer once that wanted to track IP addresses of their
customers. Unfortunately the hosting center used a proxyserver, so the
only IP address recorded was that of that proxy server ...

Hans Kesting

 

[Juan T. Llibre]

re:
!> I think you might be surprised...

Could be...

re:
!> IMO, pretty much everyone knows about (tracking) cookies these days...

....and use it to determine the winner of a photo competition ?

Also, there's other ways to suspect of foul play.

If the cookie's time is stored in a database, and later the database is analyzed,
and 500 votes for a particular photo were sent within 15 minutes, while 30 votes
were sent for all the other competitors, I'd suspect foul play. <g>

That's an extreme case but, you're right, just cookies won't cut it.
Other protective measures should be btaken, like the example given.

Any other ideas that would help protect against multiple votes without using IPs ?




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================

 

[Larry Bud]

To make things fair we would like to restrict a user from only voting

on any one photo only once.  However to encourage voting we dont want
to have to force users to register/signup.  So we thought perhaps that
we could track IP Addresses as well as user ids against photos.

So I would just like to know what sort of implications may arise with
tracking IP Addresses.  The obvious one that comes to mind is IP
spoofing.  But Im not quite sure what happens with dynamic IP
addresses?  Does this mean anyone without a shared IP address will
come on with a different IP Address?  What about proxy servers?

How about a compromise. Have the user enter their email, then vote.
Then a link is sent to their email box and only when they click on the
link will that vote count.

Granted, you could still vote more than once by entering more than 1
email, but at least it would have to be a valid e-mail account.

 

[glenh]

Hi All,

Firstly thanks everyone who has left a comment on this post. It is
much appreciated.

Mark, to answer your question on what other measures will be put in
place to minimize rigging. We will track any photo that has a high
number of votes on it any particulary day. By nature of the site
theoritically you can only vote on one photo at a time and then the
next photo is displayed (randomly) so any photo that receives a high
number of votes in any particular day shouldnt occur (Julian has made
this same suggestion). We will also be tracking users voting of other
photos, to ensure that a particular user is not voting low 1's on
everyone else's photo. Although this I guess is allowable it is in
the t&c's that every user should vote fairly and any person trying to
influence any particular photo can have their votes pulled.

The big point to make here is that the site is offering quite a large
prize of $100,000 (potentially based on participants). So of course
we are wanting to ensure the safest and fairest process of voting.

So from what I determine so far by your comments is that IP Addresses
are not fool proof as are cookies. Im not that fond of cookies that
much as I know how easy it is to clear the cookies (you dont even have
to close down the browser) and Firefox 2 offers a shortcut key to make
it even easier.

I suspect IP addresses are slightly harder for the user to change.
Mark you say that a user may close their computer down and come back
with a new one. I dont think will be too much an issue for us as you
point out I think a user will soon get sick of this very quickly.
However Im not sure if a user can somehow change their IP address with
some program and do this quickly?

Juan I am in agreeance with you about reduced participation in voting
if users have to register and ideally is something I and my clients
would like to avoid. I think that forcing registration could possibly
discourage voting by over 50% if not more. Of course there will be an
incentive to register by offering a prize but like a lot of people a
prize draw is not an incentive. Also by not having mandatory
registration will mean more votes and ultimately the more votes photos
registered will mean foul voting will have less effect and any user
attempting to rig votes should then be more obvious pick up.

Larry we did think of that idea about activation of email accounts and
will have to be implemented when a user registers (whether
registration is mandatory or not).

At the moment I am toying with the idea of tracking IP addresses along
side with closely monitoring voting unless someone can tell me that it
is really easy to change your IP address. We have thought about
people behind proxy servers and anyone with a duplicate IP address
will be told that they have either voted or are behind a proxy server
and registration will be needed.

I have a little while to keep thinking about this so will appreciate
any other comments made.

Thanks
Glen

 

[parez]

The point here is that $100,000 is a huge sum of money, easily enough to
tempt a hacker.

For that sort of money, I (and many other people like me, many more than you
might imagine) could develop a piece of code which maintained the number of
votes for any particular photo just marginally ahead of the next most
popular photo, all coming from different IP addresses at random times
throughout the day. You'd never know...

This would take me, maybe, half an hour...

If this competition is already live, I'd be amazed if someone hasn't done
this already.

you could use the captcha test for automated programs..

http://www.codeproject.com/KB/custom-controls/CaptchaControl.aspx

if this contest is not a one time thing, you could keep the
registration process short 3-5 fields
(email,password,password,firstname,last)
and also allow users only with valid emails to vote(as suggested
before by someone)

 

[parez]

you could use the captcha test for automated programs..

http://www.codeproject.com/KB/custom-controls/CaptchaControl.aspx

if this contest is not a  one time  thing, you could keep the
registration process short 3-5 fields
(email,password,password,firstname,last)
and also allow users only with valid emails to vote(as suggested
before by someone)

you could also try flash cookies.they will be defnitely be better than
regular cookies..