Optional cookie based voting authentication
bertboerland@ww... - December 10, 2004 - 10:50
| Project: | Drupal |
| Version: | 6.x-dev |
| Component: | poll.module |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | won't fix |
Description
The poll currently limts the users to be able to vote based on an IP address. It is better than a cookie since it is much harder to fake an ip address than to use a clean cookie. However, this causes that only one person of all the persons behind a NAT-ed IP addresses or people behind a corporate proxy will be able to vote, none of the others can vote ägain". This willbe a problem in huge intranets were all traffic is going via a proxy server. So I would like to see the IP address limitation as an option (default on) and I think it might be wise to take a look at the "x-forwarded-for" headers sent by most proxy servers. This makes it possible to let many people behind one proxy vote.
#1
I was thinking about this just before I found this request. First I want to note there can't be perfect implementation (you can always trick the system - register 10 new users and use 10 votes) until you use certificates (which will maybe be almost perfect). Here are the problems I found when I was thinking of doing something about this (which make x-forwarded-for and via headers useless):
I was thinking about overloading the server with permanent cookies and allow voting only to users with olther than the poll cookies, but the user can have X browsers + X profiles. For me this was more than enough to forget about it and any tricks I can think of, at least for now.
PS: The 'register to vote' solution still works...
#2
could someone with knowledge about poll.module update this old one?
#5
An optional IP validation control in the poll admin would be a lovely feature. The option could disable the IP match and enable cookie authentication to check if a user has voted. I understand it is not secure but it is not like this is going to be used for elections. Currently the restriction based on IP is a show stopper for using poll.module on local networks and in situations where you need to survey a number of people (who do not want to register) within an organisation (that only has 1 IP)
#6
#9
I agree with AC. The module should allow the option of IP or cookie validation to test whether the user voted. Maybe add a description that Cookie validation is not secure.
In the poll_vote() function, I added:
setcookie("poll-$nid","1",time()+60*60*24*30*12);and it works fine - the cookie gets added to the browser and expires in about a year.
In the poll_load() function, I replaced the $result if statement with:
if (isset($_COOKIE["poll-".$node->nid])) {$poll->vote = $result->chorder;
} else {
$poll->vote = -1;
$poll->allowvotes = TRUE;
}
... the vote gets recorded, and the user cannot vote again without clearing the cookies, but the block shows the choices instead of the results. ???
#10
subscribe... i want same feature... cookie based voting
#11
i am wrote my own module, based on poll (Drupal 5.7) module see - http://drupal.org/node/237126
#12
That made it so the poll results were not shown. Vote was recorded but results were not shown afterwards.
#13
Feature requests against HEAD. Also, see #237213: Fixed poll code for anonymous voting.
#14
Working patch attached. Please test and post feedback. It's a tidied up version of pash7ka's patch in comment #5 of #237213: Fixed poll code for anonymous voting - that is a D7 issue, so I've moved the patch here.
#15
I'm giving this patch a try.
#16
Patch in #14 did not apply cleanly for me, so I applied it by hand. The code worked, though; cookies are being set properly for anonymous votes, and users inside our network (who all appear to have the same IP address outside our network thanks to firewalling) are all able to vote anonymously without issue.
Marking RTBC. @greg_harvey -- thank you. This was a huge problem for us.
#17
Welcome! Odd it didn't apply. I probably did something silly.
Thanks as well to pash7ka, who wrote the patch. I only really tidied it up. =)
Not sure what's going on with the D7 patch now - it seems to have stalled, but I've fixed all the issues Dries raised, except for the ones I think either aren't issues or I don't understand what he wants. Sadly, he hasn't come back since to expand on his comments...
#18
New features are added to Drupal 8, not Drupal 6 or 7 anymore.
#19
@Gabor, we know that - this is for people who want the feature in D6. A more appropriate Status would be "won't fix" then, as the active D7 patch is here: #237213: Fixed poll code for anonymous voting
This needs bumping to D8 since it failed to make the cut. Will do it now. =)
All other comers, D6 patch in #14 works if you need this, otherwise please contribute to D8 patch in the issue above.
#20
The code only seems to work partly for me. If i remove the cookie then i can see the poll form but when i submit then it just show the result and the poll choice is not submitted. I have make a small patch to make it work. Please see enclosed.