I am implementing a voting system using PHP and Javascript. Everything works well, but I am having trouble preventing people multiple times. Right now, I'm using cookies to check if the user voted already:
if(isset($_COOKIE['lastdate'])) {
$val = $_COOKIE['lastdate'];
if ($val == $today)
{
$voted = 1;
}
}
It works, but it is vulnerable to people going incognito or switching browsers/clearing cookies.
Why don't I use IP address? Because we use this site at work and all computers connect to a router, so all IPs are the same.
The question is, how can I prevent multi-voting, identifying the client, but without the regular IP and without using any kind of authentication/login?
Unfortunately, without using some form of authentication the user will always be able to bypass your attempt to block them.
Incognito window removes all cookies and creates a new session- meaning you've now got nothing to identify that user with. Adding both cookie and session checks will lessen the cheating, but there really is no other way around this.
I'd recommend one-click login from social networks, that usually is a good mix for users- they don't have to register, but they still login. This means they could only possibly cheat using multiple social media accounts, which is far more work.