What is the best way to implement a "memory" or persistence for an anonymous vote? The other day I was browsing some site (unfortunately I forgot the URL), and I could quickly "thumbs up" or "thumbs down" an item. So I voted on several items. I then closed all my browser instances, deleted all the browser history and files. I went back to the site to vote on some of the same items but it "knew" that I had already voted. So I am wondering what's the best way to accomplish this
I have read about evercookies, but somehow they don't seem like a nice way to treat your users. I don’t want to go that way. Or are evercookies the only way to accomplish this?
If evercookies were not the mechanism behind this then the only way I can think of is to remember the client's IP + User Agent + something else. But what is "something else"?
Any thoughts?
Regards, Archil
Sites may use a combination of the following to try and identify flooding or abuse of a form such as an online poll. No method is completely infallible; in fact, most are trivial to fool.
Identifying the same person:
Preventing other types of abuse:
Making the user jump through hoops:
For every measure there's an equal and opposite counter-measure. For example, an abuser might ignore cookies, vary his user-agent or use an anonymiser service that varies his IP address for every request. He might sign up using multiple accounts with throw-away email addresses, and there are even ways to try and defeat CAPTCHA (eg. replay the CAPTCHA for users on another site).
Note that to someone who is determined to disrupt, an evercookie doesn't do much more for you than a cookie. They wouldn't affect a bot, for example.
I personally do not like to use the barriers that make users jump through hoops. Hopefully I've demonstrated that even if you require registration you are not guarding against abusers all that much more than you would with a good flood control algorithm, since it's trivial to get multiple throwaway email addresses.