All geek questions in one place

How to create independent browser cookies?

  • I am trying to create a voting system in which the user can vote without registering on the site.
  • Cookies are browser dependent, so people can vote more than once if they use different browsers (I want them to not do this) (I don't want any bias)
  • I read evercookie - this is what I can use. The problem I saw with this is that the call seems asynchronous. eg

I do the following

var ec = new evercookie ec.get("id", function(value) { alert("Cookie value is " + value); if (value != null) { alert('cookie already set, returning'); return; } ec.set("id", "12345"); alert('cookie saved'); });

When I use this code, it first sets a cookie, refreshes the page and then returns a value, so I see in the following order

 cookie saved cookie already set, returning

Can anyone help me set up browser cookies?

thanks

+4
source share
3 answers

You really should not use this library. It puts a lot of garbage in the visitors browser, it is very unstable (the page is broken for me). I think it exists to declare its case and not be used in a production environment.

In addition, this can be easily worked out, simply not using a browser, but instead of a script (wget, etc.). An attacker can vote for times in such a short time.

You must store votes by IP address in the database and allow only 1 vote per day or so. This is the most common trade-off between security and usability.

+2
source

You cannot do this with cookies only.

Cookies are stored for each browser (and sometimes for each mode or session) and, in any case, can be cleared by the user at his discretion.

Now evercookie is trying to get around this by storing data in different ways, in the hope that not all of them are cleared [at the same time]. These methods, used, however, are still generally limited to this browser / profile and depend on what additional mechanisms can be used. (EC can also be bypassed by simply disabling JavaScript, adjusting [cookie or in-flight] values ​​using the debugging tool or using a non-browser to initiate requests.)

Anyway, when using the EC approach (it may have limited success, depending on the demographics, but it is far from being β€œhacked”), just set the [large] "random value" if the value is not set, and always send this value to server. (Actually, it makes no sense to require nonce from the user, since the server does not have the ability to verify that the original request was not a "duplicate", which is a kind of catch-22.)

Happy coding.

+8
source

Based on your description of what you are trying to accomplish, cookies will be a very, very bad choice. Even evercookie will not be browser independent. And, as soon as the user clears their cookies, evercookie is useless.

Storing the server ip server is the closest thing available to get what you are looking for. But even this is fraught with problems. Many corporate IT departments will set everything up so that all requests coming from their network have the same external IP address. In this case, even if there are thousands of employees, each of whom has his own computer, if one person in this network sends a vote, any other user in the same network will be blocked from this. The same applies to any home with a provider.

The bottom line is that what you are looking for is simply contrary to the very basic architecture of the Internet.

0
source

Source: https://habr.com/ru/post/1388886/

More articles:


All Articles