I am using a 'transparent cache service' which is a
proxy forced on me by my ISP (so they can save
bandwidth). So if you check my IP by the normal
method you will get the cache server (thus multiple
users appear to come from the same IP). However if
you check the HTTP_X_FORWARDED_FOR var in the header
you will see my true IP and thus can limit things
such as polls to one IP.
and thus can limit things
such as polls to one IP.
Wouldn't it be about a squillion times easier just to log the username that has voted in a poll rather than their IP?
Okay, so people could register until multiple names but is that any less likely than them disconnecting and then re-connecting to get a new IP number if they're so desperate to vote again?
At the moment they are not doing either. Just setting something in the cookie, thus making it a client side thing.
Checking the IP is easy...but what about all those connections using dynamic assigned IP's?
IMHO its a waste of time.
'All those connections'? You mean you? ... My IP is dynamic, but hasn't changed in over a year and I could be IDed registering another account if I tried.
I am not suggesting it as a full proof defence but it will stop the casual abuser and spammers (trolls) who might register multiple accounts to, for example, post religious propaganda.
Smilies gone bad...
My IP is dynamic, and seems to change every time I boot into Linux.
I should note that there are many ways to spoof mere headers in HTTP (X-Forwarded-For). Spoofing the connection IP is considerably more difficult.
On the other hand if you have multiple users behind the same proxy (or proxy bank) then restricting connection IP isn't fair.
On the whole, one-vote-per-username seems to be the fairest method of restricting polling... though it does require registration to vote...
There is no guarantee that the x-forwarded-for request header data will be present just like there is no guarantee that client-ip data will actually represent the originating client as opposed to the proxy making the request on the client's behalf. As
I've said, we do track IPs and IP data is not guaranteed to ensure that we know who you are. This is a hard problem that pretty much no web-based (client web browser-web server technology) has nailed.
Yes, the poll is super easy to eploit. The question is, why exploit it? This is a social problem as much as it is a technological problem. "Gee. Other forums do this. And other forums do that...".
This is Channel 9. We like to think that a community can be responsible for and by itself. If you must exploit simple web features to make yourself happy, well, go do it somewhere else.
LOL... Are you kidding ?
Never trust your headers. Some evil people can fake it.
As well - in HTTP_X_FORWARDED_FOR can be more that one IP or in some rare cases - total garbage.
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.