All geek questions in one place

Limit user activity based on IP or cookie?

I am working on a PHP script that allows users to vote on specific items. Any user, whether logged in or not, can vote. Consider the following cases:

  • If a user is logged in, I can register a user ID and I can limit the voting on the same item if he tries to vote again.
  • If the user is not logged in, I can register the IP address of the user and restrict voting on the same item from the same IP address.

If this is the first time, there is no need to record the IP address. Now the second case puts me nuts, sort of. I was wondering what might happen that a user can change the IP address and then vote on the same item again. Now, even if I use Cookies or Session vars, it can also happen that the user starts a new session (or deleted cookies) in order to vote for the same item again.

Am I missing something? If not, how to deal with such situations? Any thoughts?

+4
source share
3 answers

I would seriously consider using Captcha, reCaptcha is a good choice.

You can restrict by IP address, but it is possible for several people to share 1 IP address, for example, a small school or business. It is also trivial to bypass it, since proxies are free and plentiful. It is also error prone because sometimes load balancing changes the IP address during a session. If you really want to limit the number of votes per person, the best choice is to require them to log in to your user account and save the votes in your database.

+6
source

Firstly, there are several ways to capture the IP address of a client using PHP. Here are 3 methods that I know of:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; } else if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ipAddress = $_SERVER['HTTP_CLIENT_IP']; } else if (isset($_SERVER['REMOTE_ADDR'])) { $ipAddress = $_SERVER['REMOTE_ADDR']; }

Secondly, if you are concerned about volatile storage, such as cookies or sessions, it is best to have a database table that stores these values. It can be a simple table with three columns: client_ip, item_id and date_created. This will allow you to track whether a specific IP address has been used to vote on a specific item.

Now the only problem that I see is that the client is working and sitting at the proxy server. So, I think you have several options, each of which has its pros and cons.

+2
source

You can try using evercookie , it's pretty hard to clear

+1
source

Source: https://habr.com/ru/post/1336875/

More articles:


All Articles