如何防止用户在 1 小时内多次投票?
[英]How can I prevent users from voting more than once in 1 hour?
问题描述
At the moment I have a script with CAPTCHA, which on submit logs the users IP address to prevent a user from voting more than once per hour.
目前我有一个带有 CAPTCHA 的脚本,它在提交时记录用户 IP 地址,以防止用户每小时投票超过一次。
However, many people are using proxies to get around this vote restriction and I would like to employ additional protection.然而,许多人正在使用代理来绕过这个投票限制,我想采用额外的保护。
I realize there are other questions about this topic, but they always involve people wanting users to only be able to vote once, rather than a timed restriction.我意识到关于这个话题还有其他问题,但它们总是涉及希望用户只能投票一次的人,而不是时间限制。
Thank you for any help感谢您的任何帮助
EDIT: I do not want to force users to login编辑:我不想强迫用户登录
5 个解决方案
解决方案1
6 已采纳 2011-06-07 15:51:00
There is no 100% secure way of avoiding people to vote more than once an hour, but here are few methods to make it harder for the users to circumvent it:没有 100% 安全的方法可以避免人们每小时投票一次以上,但这里有一些方法可以让用户更难规避它:
- Place cookies on the users computer将 cookies 放在用户计算机上
- Log their IP记录他们的 IP
- Store content into their localStorage (only for users with HTML5 browsers)将内容存储到其 localStorage(仅适用于使用 HTML5 浏览器的用户)
- If you really want to start digging deeper, you can start putting restrictions based on the users session length, how many pages they navigated prior to voting, ie starting to profile the users that try to circumvent the system, and start putting restrictions on those profiled users.如果你真的想开始深入挖掘,你可以开始根据用户 session 的长度,他们在投票前浏览了多少页,即开始分析试图绕过系统的用户,并开始对那些分析的用户设置限制用户。
解决方案2
2 2011-06-07 15:47:37
You could use cookies, but people can delete them.您可以使用 cookies,但人们可以删除它们。 Simplest answer without forcing them to login (for which they can create more than one account if they have multiple Emails etc) it would be hard to limit them without them being able to sneak round it somehow.不强迫他们登录的最简单的答案(如果他们有多个电子邮件等,他们可以创建多个帐户),如果他们无法以某种方式偷偷摸摸,就很难限制他们。
解决方案3
1 2011-06-07 20:01:26
MEMORY tables on server with ip addresses
具有 ip 地址的服务器上的 MEMORY 表evercookie
永远饼干browser fingerprinting
浏览器指纹required registration
需要注册cron job to clear tables once a hour
cron 作业每小时清除一次表http://code.google.com/p/mailvalidator/
http://code.google.com/p/mailvalidator/make list of banned domains
制作禁止域列表
visit 10minutemail and copy e-mail domain and add to the list访问 10minutemail 并复制电子邮件域并添加到列表中
解决方案4
0 2011-06-07 15:50:25
Are you against having users register on your site in order to vote?您反对让用户在您的网站上注册以便投票吗? I would say make it based on account, not IP.我会说是基于帐户,而不是 IP。 Many users can be behind a NAT which would assign them all the same external IP (think work or school).许多用户可以在 NAT 后面,这将为他们分配所有相同的外部 IP(想想工作或学校)。 In this case I'd say a table with four columns would suffice: user id, poll id, vote time, choice.在这种情况下,我会说一个有四列的表就足够了:用户 ID、投票 ID、投票时间、选择。 If the same user id/poll id combination exists and time is greater than now minus one hour don't allow them to vote如果存在相同的用户 ID/投票 ID 组合并且时间大于现在减去一小时,则不允许他们投票
解决方案5
0 2011-06-07 15:53:29
If the "bad" people are clever enough to use proxies to vote against your will, or the rules, chances are that they will be able to circumvent other protections, too...如果“坏”人足够聪明,可以使用代理人投票反对您的意愿或规则,那么他们很可能也能够规避其他保护措施......
But here are the things you can do:但这里是你可以做的事情:
1) Set up a cookie on the machine after the vote, but users could remove the cookie manually 1) 投票后在机器上设置cookie,但用户可以手动删除cookie
2) Enforce user accounts to vote, validated by an email address, but users could create alternate user accounts 2) 强制用户帐户投票,通过 email 地址验证,但用户可以创建备用用户帐户
2bis) A user account could get the right to vote only after 24h, might not be suitable for your app 2bis) 用户帐户只能在 24 小时后才能获得投票权,可能不适合您的应用
3) Like stack overflow, implements a reputation mechanism on user accounts so they will be able to vote only after having proved they're not just bots or alternate identities 3) 像堆栈溢出一样,在用户帐户上实施声誉机制,因此他们只有在证明他们不仅仅是机器人或替代身份后才能投票
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.