Wouldn’t the better solution be to keep a log of previous client IPs, on the server side? Sure, VPN will circumvent it, but it’s much easier for me to clear a cookie 100 times then to connect to 100 different VPNs.
50 votes in a browser would take an hour, but 5,000,000 votes in a browser’s dev tools would take an hour and fifteen minutes; it’s the kind of thing people can write a bit of code to do for them. (I’m a web dev, this doesn’t sound like a challenge to me if there’s no security)
You need to track the user for a poll. Sessions don’t work since private browsing enables duplicate votes. Tracking the IP can block users from the same network/wifi. Cookies get auto-sent and browser storage is only clientside. Really not many more options aside from making an account on a site and logging in. I find it a pretty reasonable solution actually.
Cookies fall short just the same as sessions. you’re asking the user to pinkie promise they won’t clear their cookies / modify them.
An account seems the most logical. You need to avoid duplicates ; it’s not really about privacy here. You’ll only make a tradeoff between accomplishing no duplicates and letting users do what they want.
There’s no way to prevent a malicious user from voting multiple times in an online poll, unless you can somehow tie it to a real world identity (and even then it’s not going to be easy).
This is just something to stop the workarounds that a 50 year old CEO was aware of.
I mean, of all sites, polls make the most sense to require cookies to avoid duplicate votes.
Wouldn’t the better solution be to keep a log of previous client IPs, on the server side? Sure, VPN will circumvent it, but it’s much easier for me to clear a cookie 100 times then to connect to 100 different VPNs.
The EU has made logging IP addresses generally illegal.
Except that it is really easy to clear cookies
Not if you don’t know what cookies even are. Stops the regular Joe just fine
All it takes to swing a poll by 8,000 votes is one person that knows how to clear cookies. It’s not even about stopping regular joes.
*one person who knows how to clear cookies…and has WAY too much time on his hands.
50 votes in a browser would take an hour, but 5,000,000 votes in a browser’s dev tools would take an hour and fifteen minutes; it’s the kind of thing people can write a bit of code to do for them. (I’m a web dev, this doesn’t sound like a challenge to me if there’s no security)
Cookies are really inappropriate for this use…
You need to track the user for a poll. Sessions don’t work since private browsing enables duplicate votes. Tracking the IP can block users from the same network/wifi. Cookies get auto-sent and browser storage is only clientside. Really not many more options aside from making an account on a site and logging in. I find it a pretty reasonable solution actually.
Cookies fall short just the same as sessions. you’re asking the user to pinkie promise they won’t clear their cookies / modify them.
An account seems the most logical. You need to avoid duplicates ; it’s not really about privacy here. You’ll only make a tradeoff between accomplishing no duplicates and letting users do what they want.
It could be useful to prevent accidental duplicate votes. But definitely not sufficient for malicious actors.
There’s no way to prevent a malicious user from voting multiple times in an online poll, unless you can somehow tie it to a real world identity (and even then it’s not going to be easy).
This is just something to stop the workarounds that a 50 year old CEO was aware of.