A simple voting system: how to prevent duplicate votes [duplicate]

Answer 1

This is what you should probably do:

1) As soon as user votes, you should make an ajax call to the server and update the flag in the database and disable the voting using javascript.

2) If the user refreshes the page and tries to vote up again, the server would be knowing that the vote has already been made(as it is saved in database) so the voting system will appear disabled on the page.

3) If the user tries to enable the voting using chrome tools or firebug by modifying the source of page, you can create a check at database end by setting the composite key on userID and "vote" flag which would prevent the duplicate votes.

Hope it helps..

Answer 2

It is certainly possible to do this securely client-side. However, as noted by others, it does require users to login. If you're already using Firebase, this is actually pretty easy to implement using the FirebaseAuthClient.

You can then couple this with Firebase security rules to enforce that any logged in user can only upvote once. Check out the screencast on the security page for an example!

Your security rules might look like:

{
  "rules": {
    "users:" {
      "$userid": {
        "voted_on": {
          "$articleid": {
            ".write": "!data.exists()"
          }
        }
      }
    }
  }
}

This ensures that you can write any given value to /users/anant/voted_on/article1 exactly once. You can add a .validate rule to ensure that the value is a boolean (or something else).

Answer 3

Taking advantage of OAuth authentication, it's highly unlikely that users cannott find a way to login via either FB/Twitter/Google/OpenID.

It is still cheap and fast to vote, and in case the user does not want to login via third party services, you can provide an email fallback.

As everybody pointed out already, you have to rely on you own server.

Answer 4

There is no way to prevent duplicate votes but forcing users to sign up (maybe with email confirmation) and authenticate (thus, storing votes somewhere in your DB and checking). Other techniques are flawed:

1. cookies/session storage can be disabled or cleared whenever the user wants.
2. IP address tracking prevents usage behind NATs, proxies and gateways, since all clients will share the same public address (or a small number of).

Still, a user could register multiple accounts and there is no way to prevent this.

A thing you can do is detecting rapid sequences of vote actions, which could be generated by scripts.