Option to restrict anonymous voting by cookies rather than IP

I didn't really understand this initially, but after http://drupal.org/node/105587 it makes sense.

The implication is that restricting anonymous voting by IP should be optional - so if this feature isn't desired advpoll should set a cookie on the user's computer to record that they've voted. This is a good feature to implement eventually as it's standard among polling/survey systems.

I'm also interested in giving separate voices to multiple anonymous users who share an IP.

I think there are a number of options that could be possible for the admin setting up a poll:

- as now, limit to 1 vote per IP
- as requested here, limit 1 vote per cookie
- as requested at http://drupal.org/node/105587, limit to 1 vote per IP/cookie per time period
- allow admin to set a poll to unlimited anonymous votes from the same IP / cookie / time period

As an alternative to time periods, hook_cron could come in and wipe the IPs/hostnames recorded over an hour / day / week ago. I think I'm going to work on this for my 4.7 install until there's an official solution.

Were you able to get this to implement any of this yet?
I'd be interested in it if you did..

thanks

I should note that I'm currently working with the 4.7dev branch, not 5.x, but it sounds like this request has not been resolved for either. Correct?

My main interest here is with the IRV implementation, so my comments reflect that.

It looks to me like the setup to the problem is:
-- Anonymous users on the same IP address all show up as the same hostname.
-- Adv poll records each ranking within a ballot as a separate line in the votingapi_vote table.
-- Multiple rankings from an anonymous user can only be reassembled into one ballot by selecting all of the votes in votingapi_vote that match a certain node ID and hostname (IP address).

SO, the only "quick" way to allow multiple ballots (voters) per anonymous hostname would be to append some string (as suggested) to the hostname when it is stored in the database (like a timestamp). But the problem is, votingapi.module sets the hostname which is recorded. There is no API in votingapi so far as I can tell for another module (advpoll) to set its own interpretation of the hostname.

Seems like the root problem is in votingapi, not advpoll. The question I'm looking at is: is it easier to mod advpoll to use an alternate vote storage table, or to mod how votingapi stores its hostnames? I will go look into the votingapi features requests to see if this is addressed at all. Get back to me if you have seen anything further on this, please.

Following up on my comment, this is the feature request I lodged with votingapi project:

http://drupal.org/node/123916

The more I think about it, the more a cookie makes the most sense. Votingapi is looking for a unique ID, so storing the same hostname for multiple votes messes up the counting of the votes.

If advpoll passed the user's cookie ID to votingapi as 'hostname', the cookie ID could be stored in the hostname field.

I was able to apply an ugly patch without touching VotingAPI, however.

I edited advpoll.module and modes/binary.inc to allow anonymous users to vote on binary polls every 24 hours. This created other problems, especially with the way votes are tallied. I'm only using binary polls, so I don't know what havoc this would wreak on rankings.

In the advpoll function advpoll_load, which decides if we should display the results or the poll, I made a few changes.

For the hostname, votingAPI records the environment variable HTTP_X_FORWARDED_FOR if available and REMOTE_ADDR if not, but advpoll wasn't checking for HTTP_X_FORWARDED_FOR, so I added and changed, below "else {":

  if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $hostname = $_SERVER['HTTP_X_FORWARDED_FOR'];
  }
  else {
    $hostname = $_SERVER['REMOTE_ADDR'];
  }
                $result = db_query('SELECT uid, value FROM {votingapi_vote} '
                        . 'WHERE content_id=%d AND hostname="%s" AND timestamp > (unix_timestamp(now()) - 86400);',
                        $node->nid, $hostname);

Now the poll displays for an anonymous user who has already voted after 24 hours have gone by.

In modes/binary.inc, I changed the routine for counting votes in advpoll_view_results_binary. Advpoll assumes that multiple votes from the same IP are one "vote" chosing multiple options.

Above "if ($node->choice && $total_votes > 0) {", I added a quick check to recalculate the total votes if there was a limit of 1 choice per vote on the poll:

        if ($node->maxchoices ==1)
        {
                $total_votes =0;
                foreach ($node->choice as $i => $ch) {
                        $total_votes += $votes[$i];
                }
        }

The total votes as called from votingapi are still in error, however, so it looks bad when the bottom of the node reports 129 votes and you add up the individual results and get 135.

The cron solution I mentioned above would probably work better. To change anonymous votes older than 24 hours to unique IDs:

function custom_module_hook_cron () {

 $result = db_query("SELECT vote_id,hostname FROM {votingapi_vote} WHERE uid=0 AND content_type='advpoll' AND timestamp > (unix_timestamp(now()) - 86400);');

 $time= time();

   while ($v = db_fetch_result($result)) {
     $hostname = $v->hostname . $time;
     $temp_result = db_query("UPDATE {votingapi_vote} set hostname='$hostname' WHERE vote_id=$v->vote_id;");
   }

}

Any cleaner patches on this yet? I'm looking for the same thing... Intranets really need this feature :) We're all on the same IP

I don't know if there's a similar post to this issue for 4.7, but on this site i develop http://www.teachingexpertise.com i had the same issue with multiple voting on the same ips, all i did to get round this is hacked the code to store the session_id() instead of the hostname(ip). This meant voting was restricted to the users computer, and the only way they could do more than one vote is clear their cache to get rid of the cookie that stores the session or find another computer on the same ip to allow them to vote again. I know the down fall of this is cookies could be switched off, but atleast it'll still stop the spammers. Hope that made sense and hope this helps someone.

Hi, #8, I have the same problem can you tell me exactly how you did this? It sounds liek a great idea you came up with. I have read several sites online about this topic and your solution sounds like the bset so far. I would really liek to see how it works.

i'm interested in #8 solution as well. if you could post it would be greatly appreciated. thanks

A year has passed since the last comment and I don't believe this has been worked on at all. It would seem to be an important feature for a poll system. Any new thoughts on an approach to tackle this?

Yes, I've implemented it in http://fest.hmsu.org/mix-contest.html and it really needs cookie restriction too...

+subscribing to #8. Any update please. Thanks

Today we've hacked the core poll module to quickfix an urgent similar requirement by a customer.

In the core poll you simply need to replace ip_address with a custom function call poll_hostname(), defined like:

function poll_hostname() {
  $hostname = ip_address();
  if (isset($_COOKIE[session_name()])) {
    $hostname = $_COOKIE[session_name()];
  }
  return $hostname;
}

Note that this misuses the hostname field to be written with sessionid data.

If we implement this feature, should we switch protection mode globally or per poll?

miro_dietiker,
I think Just per role and for only anonymous since authenticated doesn't have this problem. Here is a similar voting policy for annonymous user http://drupal.org/node/616954.

Thank

Very interesting. So we should replace hostname only by cookie if we're anonymous.

Note that after a logout, we loose the session information (internally called sess_destroy(); ) and thus a user might be able to vote a second vote...

This is right! With this patch, anonymous can vote more after a refresh of the same page.

Started using a poll today for an intranet site and this is really a blocking issue. Seems that indeed only a core hack will help here...

However, I'm surprised that this issue is still not fixed, maybe polls are a bit too 2009???

I just found this, maybe it helps: http://www.hashbangcode.com/blog/overriding-poll-module-drupal-6-409.html

Thanks marvelgalema for the link.

I'd be happy to further push the module as a co-maintainer.

However there's currently no significant contributions happening from the community.

Issue duplicated by
#988738: Anonymous users on the same subnet

miro_dietiker,

You said "Note that after a logout, we loose the session information (internally called sess_destroy(); ) and thus a user might be able to vote a second vote..."

Does it means that for anonymous users, every time they refresh the page the session information is lost? I have this issue and that anonymous users can vote more than one after a refresh (F5). I thought it should be lost when we open another tab/window not on the same window?

Thanks
Truyen

Anonymous revotings can happen if they delete (or don't accept) the cookie...
All session based protections are by definition insecure and provide no guarantee.

Subscribing, interested in this.

sorry to all the people who were waiting for a response from me......2008, that's a long time to reply :-) anyway, I still can't believe this wasn't solved in drupal 6.........if it helps now (which it probably doesn't), at the time I hacked the poll module........I probably wouldn't do that again :-) but if push came to shove then I probably would. But another interesting problem I had recently was on a server with node balancing, the ip address was always the proxy so the first anon user to vote (on one of the balancers) would stop every other anon user to vote regardless of IP. To get around this look at the settings.php file and in there you can give some proxy ip addresses, add your proxy ips and life is then sweet again, that tip has to make up for my lack of response to this post :-)

Is there still no patch for this? I just ran into the same problem where we want to use cookies instead of the IP.
What would be the easiest way to solve this?

Storing a cookie would be possible, but what happens if I change the poll, those users won't be able to vote until the cookie is expired.

Would this solution just help?

function poll_hostname() {
  $hostname = ip_address();
  if (isset($_COOKIE[session_name()])) {
    $hostname = $_COOKIE[session_name()];
  }
  
  setcookie('hasVoted', $hostname);
  
  return $hostname;
}

In 6.x-3.x I've addressed this issue by adding an admin settings form (admin/settings/advpoll) that allows you to turn on voting by cookie and also set a duration between votes. Each poll will generate a unique cookie based on its nid. This behavior, if selected also applies the same to both authenticated and anonymous users.

nice one mishwick :-)

D6 is EOL hence this issue won't be fixed (or) attended. So closing it.