防止匿名投票博弈的最佳方法

发布于 2024-09-28 02:48:46 字数 324 浏览 4 评论 0原文

我即将为我的网站编写一个投票方法。我想要一种方法来阻止人们两次为同一件事投票。到目前为止,我的想法是:

  • 投票完成后删除 cookie(容易受到多浏览器游戏的影响)
  • 记录每次投票的 IP 地址(这在代理/企业环境中会失败)
  • 强制登录

我的网站本身不是基于帐户的,尽管它聚合 Twitter 数据,因此可以使用 Twitter OAuth 作为识别手段。

现有哪些系统以及它们是如何做到这一点的?

I am about to write a voting method for my site. I want a method to stop people voting for the same thing twice. So far my thoughts have been:

  • Drop a cookie once the vote is complete (susceptible to multi browser gaming)
  • Log IP address per vote (this will fail in proxy / corporate environments)
  • Force logins

My site is not account based as such, although it aggregates Twitter data, so there is scope for using Twitter OAuth as a means of identification.

What existing systems exist and how do they do this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

绿萝 2024-10-05 02:48:47

最好的办法是禁止匿名投票。如果用户被迫登录,您可以保存每次投票的用户 ID,并确保他/她只投票一次。

cookie 方法非常脆弱,因为 cookie 很容易被删除。 IP 地址方法有您自己描述的缺点。

The best thing would be to disallow anonymous voting. If the user is forced to log in you can save the userid with each vote and make sure that he/she only votes once.

The cookie approach is very fragile since cookies can be deleted easily. The IP address approach has the shortcoming you yourself describe.

往事随风而去 2024-10-05 02:48:47

迈向用户身份验证系统的一步,但不是所有的复杂性:

让用户输入他们的电子邮件地址并确认他们的投票,你不会消除游戏,但你会让游戏玩家更难注册另一个电子邮件地址然后投票等。

可能值得采取额外的步骤。

让我们知道您最终想要做什么。

One step towards a user auth system but not all of the complications:

Get the user to enter their email address and confirm their vote, you would not eradicate gaming but you would make it harder for gamers to register another email address and then vote etc.

Might be worth the extra step.

Let us know what you end up going for.

橘虞初梦 2024-10-05 02:48:47

如果您最终想使用 cookie,请使用 evercookie

evercookie 是一个可用的 javascript API,可以生成
浏览器中极其持久的 cookie
。它的目标
是在客户删除标准后仍能识别他们
cookie、Flash cookie(本地共享对象或 LSO)以及
其他。

evercookie 通过将 cookie 数据存储在
可用的几种类型的存储机制
本地浏览器。此外,如果evercookie 已找到
用户已删除任何有问题的 cookie 类型,
使用每种可用的机制重新创建它们。

当然,多浏览器作弊不会受到影响。

If you want to go with cookies after all, use an evercookie.

evercookie is a javascript API available that produces
extremely persistent cookies in a browser
. Its goal
is to identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and
others.

evercookie accomplishes this by storing the cookie data in
several types of storage mechanisms that are available on
the local browser. Additionally, if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available.

Multi-browser cheating won't be affected, of course.

梦醒灬来后我 2024-10-05 02:48:47

您想保护自己免受哪种类型的游戏的侵害?有人创建了几个机器人并用数千(数百万)个请求轰炸您?或者是没有更好的事情可做的人尝试投 10 到 20 票?

是的,我知道:两者都是 - 但您在这里主要关心哪一个?

将验证码与基于电子邮件的投票结合使用(发送电子邮件链接以验证投票)可能会很好地对抗机器人。但人类或多或少可以轻松地利用电子邮件系统(正如我在一个答案中评论并再次在此发布的那样)

我拥有一个自定义域,我可以在其中包含我想要的任何电子邮件。

另一个例子:如果您的电子邮件是
myuser*@gmail.com*,您可以使用
"[电子邮件受保护]"
[email protected] 等(加号和后面的文本
它被忽略并被传递
到您的帐户)。您还可以包括
您的用户名中的点([电子邮件受保护])。 (仅此
适用于 Gmail 地址!)

为了防止人类攻击,我不知道ever-cookie,但这可能是一个不错的选择。使用与 twitter、FB 和其他网络集成的 OAuth 也可能效果很好。

另外,请记住:要求某人投票的电子邮件会吓跑很多人!你得到的选票会少很多!

另一种选择是限制系统每分钟(或每小时或其他任何时间)从每个 IP 接受的投票数。为了防止分布式攻击,请限制系统在某个时间范围内接受的投票总数。

What type of gaming do you want to protect yourself against? Someone creating a couple of bots and bombing you with thousands (millions) of requests? Or someone with no better things to do and try to make 10-20 votes?

Yes, I know: both - but which one is your main concern in here?

Using CAPTCHA together with email based voting (send a link to the email to validate the vote) might work well against bots. But a human can more or less easily exploit the email system (as I comment in one answer and post here again)

I own a custom domain and I can have any email I want within it.

Another example: if your email is
myuser*@gmail.com*, you could use
"[email protected]"
[email protected], etc (the plus sign and the text after
it are ignored and it is delivered
to your account). You can also include
dots in your username ([email protected]). (This only
works on gmail addresses!)

To protect against humans, I don't know ever-cookie but it might be a good choice. Using OAuth integrated with twitter, FB and other networks might also work well.

Also, remember: requiring emails for someone to vote will scare many people off! You will get many less votes!

Another option is to limit the number of votes your system accepts from each ip per minute (or hour or anything else). To protect against distributed attacks, limit the total number of votes your system accepts within a timeframe.

淡莣 2024-10-05 02:48:47

不同的方法,只是提供一种替代方案:

假设大多数人都知道如何行事,或者只是不愿意行为不端,只需追溯性地清理选票即可。这也将使投票对选民来说不那么引人注目。

因此,设置 cookie,记录每次投票,然后(或按时间间隔?)查看结果并根据 cookie 值、IP/UserAgent 组合等删除重复项。

我假设不会主动阻止同一个人的多个投票将高科技规避方法的使用保持在最低限度,并且结果易于清理。

不利的一面是,您可能无法在用户界面上实时显示实际的选票计数,或者当一堆选票恰好丢失时,人们会感到惊讶。

Different approach, just to provide an alternative:

Assuming most people know how to behave or just can't be bothered to misbehave, just retroactively clean the votes. This would also keep voting unobtrusive for the voters.

So, set cookies, log every vote and afterwards (or on a time interval?) go through the results and remove duplicates based on the cookie values, IP/UserAgent combinations etc.

I'd assume that not actively blocking multiple votes from same person keeps the usage of highly technical circumvention methods to a minimum and the results are easy to clean.

As a down side, you can't probably show the actual vote counts live on the user interface, or eyebrows will be raised when bunch of votes just happen to go missing.

伴随着你 2024-10-05 02:48:47

虽然我自己可能不会这样做,但看看这些 cookie,它们很难摆脱:

http:// /samy.pl/evercookie/

我必须解决这个问题并打击投票欺诈的另一种方法是需要一个电子邮件地址,然后一个人仍然可以投票,但在他们点击之前投票不会计算在内在电子邮件中的链接上。这比完全登记更容易,但在消除大部分欺诈选票方面仍然非常有效。

Although I probably wouldn't do this myself, but look at these cookies, they are pretty hard to get rid of:

http://samy.pl/evercookie/

A different way that I had to approach this problem and fight voting fraud, was to require an email address, then a person could still vote, but the votes wouldn't count until they clicked on a link in the email. This was easier than full on registration, but was still very effective in eliminating most of the fraudulent votes.

〆一缕阳光ご 2024-10-05 02:48:47

如果您不想强制用户登录,请考虑使用evercookie,但强制java脚本启用日志记录!

这个evercookie 很容易被阻止,因为它是基于java 脚本的。攻击者不太可能使用浏览器,通过curl,他可以生成大量请求。然而,此类工具通常对 JavaScript 的支持很差。

邮件更容易被欺骗。当您运行自己的服务器时,您可以接受所有电子邮件地址,因此您几乎可以使用无限的地址池。

If you don't want force users to log, consider this evercookie, but force java script to enable logging!

This evercookie is trivial to block because it is java script based. The attacker would not likely use browser, with curl he could generate tousends of requests. Hovewer such tools have usually poor javascript support.

Mail is even easier to cheat. When you run your own server, you can accept all email addresses, so you will have practically unlimited pool of addresses to use.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文