The use case
Currently, I am trying to build a page where users can vote on content (up/downvote, similar to the function on the StackExchange network). But the users shouldn't need to register themselves to vote on content. So it would be a kind of "anonymous" voting page. It is built with Laravel5 and uses a MySQL database to store the votes. The user sessions are stored in flat-files, but can be also stored in a database table (L5 is quite flexible here).
The problem
How to make it secure?.
I am storing restrictions and already voted contents in the user sessions, e.g. when the user has voted on content XYZ (so the user cannot vote again on the specific content for now). Those restrictions are time-based, mostly 24 to 48h. This works well, as long as the user does not throw away/delete his cookies, which would cause to create a new session and remove the time restrictions, which could lead to easy vote fraud.
So, how to avoid that the user "loses" his session? The focus is on how to let the restrictions and limitations of each "anonymous" user persist! Shared PCs or voting on different locations cannot be avoided when voting anonymous, but "botting" or a vote fraud in large numbers needs to be avoided with a given solution.
Solution attempts
Setting the sessionId of each users session to a combination of IP and User-Agent
I've asked a question about this attempt (linked below), but it'd open up more problems then it'd solve (e.g. easy session spoofing). Also, I couldn't achieve to set the sessionID manually by using Laravel5.
Solutions that doesn't fit
- Let every user register themself (it's simply too much effort for each user in my use case)
Related
as users are not stored and maintained its very difficult and can't be made 100% sure.
how i try to achieve this most closely is using request ip address and csrf token.
you can get ip address from request and csrf_token() from anywhere inside your laravel application.
here is an example of how i am going to implement
create a table named votes having following fields
- votable_type
- votable_id
- ip_address
- csrf_token
i would check whether a client does not have an existing record for same votable type and id. client is a the csrf_token. ip is for guaranteeing whether the requests are legit.
votable type and id is the polymorphic relationship between either may be comments, posts etc.
note
without persisting user identification in anyway some users might not be either vote or some might vote twice. it can't be done perfectly.
- some users might vote from different user agents multiple times.
- some users might spoof ip. clear cookies
- different users might be using same system to login.
- some users might be using different connections or system logins.
so either we take any information it wouldn't be 100% accurate.
My solution was combination of implementing evercookie to assign a "Identification Cookie" per user, detecting privacy browsing and restrict access when having Incognito mode or private browsing enabled, and finally restrict several actions (voting in my case) when not having the evercookie.
来源:https://stackoverflow.com/questions/41219675/how-to-avoid-that-a-user-removes-his-session