Cookies

[Saber]

I want to prevent users from voting more than 1 time in a simple poll.
I tried:

Session.Timeout = 40

Dim objCookie As HttpCookie
objCookie = New HttpCookie("before", "voted")

If Session("before") = "" And Request.Cookies("before") Is Nothing Then
Session("before") = "voted: true"
Response.Cookies.Add(objCookie)
....

But the If block runs again when I close and open page, then re-submit the
form, I mean Request.Cookies("before") Is Nothing always is Nothing!
why? what I've to do?

 

[Jos]

I want to prevent users from voting more than 1 time in a simple poll.
I tried:

Session.Timeout = 40

Dim objCookie As HttpCookie
objCookie = New HttpCookie("before", "voted")

If Session("before") = "" And Request.Cookies("before") Is Nothing
Then Session("before") = "voted: true"
Response.Cookies.Add(objCookie)
...

But the If block runs again when I close and open page, then
re-submit the form, I mean Request.Cookies("before") Is Nothing
always is Nothing!
why? what I've to do?

You need to set an expiration time to the cookie to make it
a persistent cookie.
If you don't, the cookie will be a session cookie, and it
will expire with the session.

objCookie.Expires = Date.Now().AddDays(30)

 

[John Saunders]

The coockie procedure is so common known to everyone , that fraudulent users
will just clear there temporary internet files and will vote and vote and
vote again

A better way in my eyes would be to retrieve the ip number of the client
store this in a database ( or XML file ) and write your voting logic around
that

This won't work if the client is behind a firewall or proxy, as you'll only
be able to get the IP address of the firewall or proxy.

 

[Shan Plourde]

I don't think any solution is perfect. If you need more security then
another option is to create user accounts and only allow logged in
people to vote. This is about the only way to prevent people from voting
1,000,000 times each simply because people won't be as inclined to spend
the energy to create multiple accounts unless, and you make it more
difficult for them to create multiple user accounts depending on the
questions that you ask as part of the user account creation process. Of
course one option would be to have enter their credit card information
and then validate it, but then who would create a user account right?

Otherwise if your votes are not security crucial things such as "what is
your favourite colour?" then I'm sure that your cookie solution or the
IP address solution will work at least somewhat. Personally I wouldn't
recommend creating user accounts just for the purpose of a simple vote,
so then what are you left with? Well, something imperfect I guess, but
those are your only options and the chances of people voting over and
over are really dependent on many factors, your user demographics being
one of them.

Which leads me back to your first cookie solution - you're probably ok
to keep it simple and recognize that people might vote more than once.
No big deal. For every voter who votes for favourite colour = green 10
times there's likely someone else who votes for favourite colour =
orange 10 times.

Shan Plourde

 

[Saber]

It is not a very important poll and many of the users of this page don't
know what is cookie and how to delete.
in another hand, using IP address isn't a good idea, because dial-up users
have not a static IP and it changes every time they connect to internet.

 

[Saber]

thanks,
i forgot to set an expire date..duh!

You need to set an expiration time to the cookie to make it
a persistent cookie.
If you don't, the cookie will be a session cookie, and it
will expire with the session.

objCookie.Expires = Date.Now().AddDays(30)

 

[M. Posseth]

The coockie procedure is so common known to everyone , that fraudulent users
will just clear there temporary internet files and will vote and vote and
vote again

A better way in my eyes would be to retrieve the ip number of the client
store this in a database ( or XML file ) and write your voting logic around
that

this way you have everything server side and fraudulent use will be much
harder to acomplish


happy coding

M. Posseth MCP

 

[wl]

On Microsoft MSDN pages you can vote for the usefulness of documents.
They also check whether you vote just once: I did some testing and it seems
they use a combination of IP and useragent name.

With the same IP and a different useragent you can still vote.... And also
with the same useragent and a different IP.

Wim