问题
I am working on a PHP script that allows users to vote on certain items. Any user whether logged in or not can vote. Consider the following cases:
- If the user is logged in, I can log user's id, and can restrict voting on the same item if he tries to vote again.
- If the user is not logged in, I can log user's IP, and restrict voting on the same item, from the same IP.
If it's the first case, there's no need to log the IP. Now, the second case is driving me nuts, sort of. I was wondering that it may happen that the user may be changing IP, and then votes again on the same item. Now, even if I use Cookies or Session vars, it may also happen that the user is starting a new session (or has deleted the cookies) to vote on the same item again.
Am I missing something? If not, how to handle such situations? Any thoughts?
回答1:
I would seriously consider use a Captcha, reCaptcha is a good choice.
You could restrict by IP address, but its possible for a number of people to share 1 ip address, such as a small school or business. Its also trivial to bypass because proxies are free and plentiful. Its also error prone because sometimes a load balancer will change the IP address during a session. If you really want to limit the number of vote per person your best bet is to require them to login to a user account and store the votes in your database.
回答2:
First off, there are a few ways to grab a client's IP address using PHP. Here are 3 methods that I know of:
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipAddress = $_SERVER['HTTP_CLIENT_IP'];
} else if (isset($_SERVER['REMOTE_ADDR'])) {
$ipAddress = $_SERVER['REMOTE_ADDR'];
}
Second, if you're worried about volatile storage, such as cookies or sessions, it may be best to have a database table which stores these values. It could be a simple table with 3 columns: client_ip, item_id and date_created. This would allow you to track whether a specific ip address was used to vote for a certain item.
Now, the only problem I see with this is if the client is at work and sitting behind a proxy. So, I guess you have a few options, each with their own pros and cons.
回答3:
You can try using evercookie, it's kinda difficult to clear
来源:https://stackoverflow.com/questions/4787960/restrict-user-activity-based-on-ip-or-on-cookie