Limiting an action to once per guest user (without log in)

Question

To aid engagement, it would be preferable to allow users who are not logged in to a website to vote on a topic. Obviously this should be limited to one vote per user per topic. I am well aware that the ideal solution would in fact be to force users to log in or create an account, but (partly as a challenge) I would like to avoid this.

My research so far has pointed to some combination of the following:

• Logging IP addresses, and rate limiting based on this info. This would cause problems for users in an environment with a common address.
• Set a normal cookie. This could be easily spoofed / deleted.
• Use a method of fingerprinting such as fingerprintjs2. This would be harder to spoof for the average user, but would not prevent bots. I would also imagine users in the same workplace would probably share the same fingerprint - am I correct?
• Set some kind of supercookie that is hard to delete and hard to spoof.

What have I missed? I'm aware that this isn't ideal, but is there any kind of protocol for this?

Answer 1

Without authentication, there is no way to do that in a way that would rule out bots.

But I believe there is a middle ground that could work.

Since they will be anonymous votes, try to come up the two numbers below:

• rate of anonymous votes per minute from an IP you would be comfortable to just let it happen, regardless if it is a person or a bot.

AND

• rate of anonymous votes per minute a specific topic/pool can get. This can be a higher number, but it will help control bots that use multiple IPs to vote.

And if any of those rates are met, you just inform the user that the limit of anonymous votes per minute was reached and they have to wait a bit or register.

That way you still get engagement from those users without worrying too much with bots.