The poll currently limts the users to be able to vote based on an IP address. It is better than a cookie since it is much harder to fake an ip address than to use a clean cookie. However, this causes that only one person of all the persons behind a NAT-ed IP addresses or people behind a corporate proxy will be able to vote, none of the others can vote ägain". This willbe a problem in huge intranets were all traffic is going via a proxy server. So I would like to see the IP address limitation as an option (default on) and I think it might be wise to take a look at the "x-forwarded-for" headers sent by most proxy servers. This makes it possible to let many people behind one proxy vote.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mr700’s picture

I was thinking about this just before I found this request. First I want to note there can't be perfect implementation (you can always trick the system - register 10 new users and use 10 votes) until you use certificates (which will maybe be almost perfect). Here are the problems I found when I was thinking of doing something about this (which make x-forwarded-for and via headers useless):

  1. You can just get a FireFox extension and add whatever 'x-forwarded-for' and 'via' you like.
  2. Many proxy servers, and all that I run, do send 'Unknown' or do not send this header (via also) at all.
  3. A proxy server is not limited to have a single IP.
  4. Some big sites use many proxy servers to do load balancing.
  5. ...

I was thinking about overloading the server with permanent cookies and allow voting only to users with olther than the poll cookies, but the user can have X browsers + X profiles. For me this was more than enough to forget about it and any tricks I can think of, at least for now.

PS: The 'register to vote' solution still works...

bertboerland’s picture

could someone with knowledge about poll.module update this old one?

ac’s picture

Version: x.y.z » 5.x-dev

An optional IP validation control in the poll admin would be a lovely feature. The option could disable the IP match and enable cookie authentication to check if a user has voted. I understand it is not secure but it is not like this is going to be used for elections. Currently the restriction based on IP is a show stopper for using poll.module on local networks and in situations where you need to survey a number of people (who do not want to register) within an organisation (that only has 1 IP)

ac’s picture

Title: ip address and x-forwarded-for headers » Optional cookie based voting authentication
robdinardo’s picture

I agree with AC. The module should allow the option of IP or cookie validation to test whether the user voted. Maybe add a description that Cookie validation is not secure.

In the poll_vote() function, I added:

setcookie("poll-$nid","1",time()+60*60*24*30*12);

and it works fine - the cookie gets added to the browser and expires in about a year.

In the poll_load() function, I replaced the $result if statement with:

if (isset($_COOKIE["poll-".$node->nid])) {
	$poll->vote = $result->chorder;
} else {
	$poll->vote = -1;
	$poll->allowvotes = TRUE;
}

... the vote gets recorded, and the user cannot vote again without clearing the cookies, but the block shows the choices instead of the results. ???

hillaryneaf’s picture

subscribe... i want same feature... cookie based voting

FuN_ViT’s picture

i am wrote my own module, based on poll (Drupal 5.7) module see - http://drupal.org/node/237126

fuquam’s picture

That made it so the poll results were not shown. Vote was recorded but results were not shown afterwards.

Susurrus’s picture

Feature requests against HEAD. Also, see #237213: Fixed poll code for anonymous voting.

greg.harvey’s picture

Version: 5.x-dev » 6.x-dev
Priority: Minor » Normal
Status: Active » Needs review
FileSize
3.78 KB

Working patch attached. Please test and post feedback. It's a tidied up version of pash7ka's patch in comment #5 of #237213: Fixed poll code for anonymous voting - that is a D7 issue, so I've moved the patch here.

domesticat’s picture

I'm giving this patch a try.

domesticat’s picture

Status: Needs review » Reviewed & tested by the community

Patch in #14 did not apply cleanly for me, so I applied it by hand. The code worked, though; cookies are being set properly for anonymous votes, and users inside our network (who all appear to have the same IP address outside our network thanks to firewalling) are all able to vote anonymously without issue.

Marking RTBC. @greg_harvey -- thank you. This was a huge problem for us.

greg.harvey’s picture

Welcome! Odd it didn't apply. I probably did something silly.

Thanks as well to pash7ka, who wrote the patch. I only really tidied it up. =)

Not sure what's going on with the D7 patch now - it seems to have stalled, but I've fixed all the issues Dries raised, except for the ones I think either aren't issues or I don't understand what he wants. Sadly, he hasn't come back since to expand on his comments...

Gábor Hojtsy’s picture

Version: 6.x-dev » 8.x-dev

New features are added to Drupal 8, not Drupal 6 or 7 anymore.

greg.harvey’s picture

Version: 8.x-dev » 6.x-dev
Status: Reviewed & tested by the community » Closed (won't fix)

@Gabor, we know that - this is for people who want the feature in D6. A more appropriate Status would be "won't fix" then, as the active D7 patch is here: #237213: Fixed poll code for anonymous voting

This needs bumping to D8 since it failed to make the cut. Will do it now. =)

All other comers, D6 patch in #14 works if you need this, otherwise please contribute to D8 patch in the issue above.

yingtho’s picture

FileSize
2.52 KB

The code only seems to work partly for me. If i remove the cookie then i can see the poll form but when i submit then it just show the result and the poll choice is not submitted. I have make a small patch to make it work. Please see enclosed.

xalexas’s picture

#14 not working for anonymous users but only for registered users. Anonymous users get message "Your vote wasn't recorded". I have enabled access for anonymous users.

mean0dspt’s picture

#21 passed initial testing on my production website.
I didn't try #14, may be it was fine too

Cyberwolf’s picture

I tried the patch at #20 and at first sight it seems to work fine.
However I am a bit concerned about the possible situation that the rand() function might return the same random number twice, so in theory there is still the possibility that one might get the same key and actually overwrite another one's voting choice. I'd rather generate a more unique key by using uniqid() instead of rand().

cato’s picture

I'd think a better way to solve this would be to remove all references to any IP adress. Using it implies that IP#s are dependable which is false. If cookies are disabled, IP# is still not a working method to identify users since many anonymous users are coming from the same IP# due to NAT.