Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2011
    Posts
    16

    how can an administrator prevent multiple user accounts

    If you have a website with interactive features where users can provide scores and feedbacks, they can distort the results by using multiple accounts. What are some good ways to deal with this?

    If you require one account per IP, that could create problems for users who legitimately share the same IP, such as in an organizational setting.

  2. #2
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    This topic would probably be better addressed at our sister site, Web Hosting Talk - The largest, most influential web hosting community on the Internet which deals with all kinds of web hosting issues.

    One thing that you might consider would be to accept multiple votes from a single IP, but throttle the votes from a single IP. For example, if you get a vote from an IP and there was another vote from that IP in the last 120 seconds, then make the site wait until the 120 second mark before recording the next vote. If there was no vote from that IP in the last 120 seconds, process the new vote as quickly as possible. I've found this practice very effective for dealing with this kind of problem because the normal user never notices it and the cheating user gets bored pretty fast.

    Another option that you might consider would be to have the web page send a confirmation email to the user that contains a URL that will actually cast the vote. That means that the user needs to visit your web page to make their choice, then collect their email to actually cast their vote. This has an additional side benefit of at least confirming the email address of the user casting the vote, at the expense of an additional step needed to retrieve the email message in order to make the vote count.

    -PatP

    -PatP
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  3. #3
    Join Date
    Dec 2011
    Posts
    16
    Quote Originally Posted by Pat Phelan View Post
    This topic would probably be better addressed at our sister site, Web Hosting Talk - The largest, most influential web hosting community on the Internet which deals with all kinds of web hosting issues.

    One thing that you might consider would be to accept multiple votes from a single IP, but throttle the votes from a single IP. For example, if you get a vote from an IP and there was another vote from that IP in the last 120 seconds, then make the site wait until the 120 second mark before recording the next vote. If there was no vote from that IP in the last 120 seconds, process the new vote as quickly as possible. I've found this practice very effective for dealing with this kind of problem because the normal user never notices it and the cheating user gets bored pretty fast.

    Another option that you might consider would be to have the web page send a confirmation email to the user that contains a URL that will actually cast the vote. That means that the user needs to visit your web page to make their choice, then collect their email to actually cast their vote. This has an additional side benefit of at least confirming the email address of the user casting the vote, at the expense of an additional step needed to retrieve the email message in order to make the vote count.

    -PatP

    -PatP
    If you just throttle it, that sounds like after 120 seconds the site will still record his votes. But if he quickly votes a thousand times, wouldn't all of them be counted after a couple days? I guess if you give an error message and ask them to wait 120 seconds, that could work.

    I'm less concerned about the speed of votes, and more about having any kind of multiple identities, because each vote need to represent each user's true opinion.

    I'm thinking of requiring manual approval for multiple accounts under the same IP.

  4. #4
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    No, you're close but missing a key point...

    When the first vote is cast by an IP, it registers immediately (sub-second, we hope). If another vote comes in within 120 seconds, when the click registers the web server itself waits until that 120 second threshold is met before it allows the vote tied to that click (or anything else from that IP address) to register.

    This effectively throttles a given IP to one vote every 120 seconds whether that delay is caused by one user finishing what they were doing then another user starting up and casting their vote or by a script attmpting to hammer the vote link/button ten thousand times per second. For the users, they should see nothing at all or maybe a short delay when a user casts a vote too soon. For a script trying to stuff the ballot box, the delay becomes a brick wall that only allows one vote to pass every 120 seconds.

    So in your example where a script sends a thousand click events to a web page at a time, here's what I'm proposing... The first event registers as it normally would and processes without delay. The second event processes, and the event processing code waits until 120 seconds after the first event processed before it attempts to process this second event. The other 998 events that the script has queued either bounce into the digitial oblivion if they are asynchronous or they wait on the second event which is waiting on your web page if the events are synchronous... Either way, that IP address casts at most one vote every 120 seconds. If it launches the events asynch, then the other 998 events are just lost. If it launches the events synchronously, then it takes 33 hours and 20 minutes to cast all 1000 votes.

    -PatP
    Last edited by Pat Phelan; 01-05-12 at 00:53.
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  5. #5
    Join Date
    Dec 2011
    Posts
    16
    Quote Originally Posted by Pat Phelan View Post
    The first event registers as it normally would and processes without delay. The second event processes, and the event processing code waits until 120 seconds after the first event processed before it attempts to process this second event. The other 998 events that the script has queued either bounce into the digitial oblivion if they are asynchronous or they wait on the second event which is waiting on your web page if the events are synchronous... Either way, that IP address casts at most one vote every 120 seconds. If it launches the events asynch, then the other 998 events are just lost. If it launches the events synchronously, then it takes 33 hours and 20 minutes to cast all 1000 votes.
    If a user made one vote and then made another vote immediately afterwards, practically speaking, he'd wait two minutes for the server to respond after he clicked the vote button? I think this assumes that the average user doesn't vote more than once every x (eg 2) minutes, which may be related to the design of the website.

  6. #6
    Join Date
    Jan 2012
    Posts
    3
    I think the easiest is to block votes only from newly registered accounts within the same IP range. You can also check the IP using a DNSBL scammers will often use proxies which have been blacklisted.

    What software are you talking about, is this a CMS or a forum? Many will have their own builtin solutions

    hope this helps

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •