User Polls

You may have seen there are some polls in some web sites that visitor can vote. Lets see how these type of user polls are working. Every poll of this type has few main characteristics. they are,

•  The website should present the visitors of the website with the contestants they can vote for.
•  Should keep a count which contestants get the votes.
•  Should display the deadline and after the deadline no votes are counted.
• After the deadline has passed should display the number of votes for each contestant
•  The website should not allow users to vote more than once

There are three deferent ways to restrict users of voting again and again for same poll. First one is check his IP address.  Second method is cookies. The final one is sessions. The method we have used to restrict users of voting more than once is cookies.

Cookies and Sessions

Cookies: A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too. With PHP, you can both create and retrieve cookie values. The setcookie() function is used to set a cookie.

Sessions: When you are working with an application, you open it, do some changes and then you close it. This is much like a Session. The computer knows who you are. It knows when you start the application and when you end. But on the internet there is one problem: the web server does not know who you are and what you do because the HTTP address doesn't maintain state.

A PHP session solves this problem by allowing you to store user information on the server for later use (i.e. username, shopping items, etc). However, session information is temporary and will be deleted after the user has left the website. If you need a permanent storage you may want to store the data in a database.

Sessions work by creating a unique id (UID) for each visitor and store variables based on this UID. The UID is either stored in a cookie or is propagated in the URL.

Implementation

When a user tries to vote, first of all the browser checks for cookies. If there is a cookie which contain the information of user’s voting history then user is not allowed to vote. If that cookie is not there then the user has a chance to vote and now a cookie will place on his computer.

The deadline of the vote is checked with the system date of the local server. If the deadline is greater than the system date then the user can vote, but only once. After the deadline it displays the result in a bar chart.

Problems in using Cookies

• In the voting program if the user deletes the cookies or block the cookies by the browser then he will be able to cast his vote again. Because of this the cookies is not the ideal technique in restricting visitors in voting more than once.
•   If the user opens the cookie file he can read the contents on that file. Because of this it is regarded as an unsecure method. If a hacker accesses the cookie file he will be able to easily access the private details of the users.To avoid these consequences we can use alternative solutions such as IP Address.
• Inaccurate identification : For each browser there is a separate area for cookie storage. If one person users multiple browsers then the same data will be stored in different locations. Therefore cookies cannot differentiate each individual rather than differentiating on each browser.
• Cookie poisoning : An attacker can modify the value of the cookie before sending back to the server. But nowadays most websites store session identifier inside the cookies.

Alternative solutions

·         IP Address

When the users are connected to a network his/her computer owns an IP address. If the user requests for a page the server will detect the IP Address of the client machine and check whether this machine has voted before.

But the problem in this solution is whenever a different user requests from the same machine he will be identified as one person. In other words if a user cast his vote and logged off his machine. Then another user comes in logged in to the same website tries to cast his vote. But unfortunately he will get an error message that he can’t vote again.

In this case it is clear that this IP Address technique is not a good method for a network such as in a cyber café.

But this method can be implemented for an individual computer which is used daily by the same person.