There is a system that makes it possible to vote - you click on the "Support" button, a request is sent to the server, the click counter is increased. The question is this - the request can be faked ... tell me how in such a situation they usually do? I mean in a global sense, that is, not for this system, but how to ensure the security of requests in general? What trick to use? What should I send? What are tokens? To check all this on the server, is it a substitute? Thank.
7 answers
In general, no way. A request from a real user is no different from a bot request. Therefore, all online voting is amenable to cheating. You can cast multiple voices from a single client IP, but that doesn’t help much if you really want to vote.
PashaPash ♦ PashaPash
42.4k 9 60 130
|
There are many ways to protect against this (and even more - to get around :)).
You can use a token - a certain sequence of bukaf, which are issued only for one request. However, in the case of a fake request, it does not help much (but it is quite suitable for CSRF (it is also bypassed)).
To protect against voting, you can do this (I never did the voting myself ... which is strange, by the way):
In the voting table you make a field with ... ID voters, for example. When trying to vote (even with a token and in general, the user himself wants to outwit the system), pull out this field, check for the ID of the current user there and, if found, send a turn from the gate.
- 2Entering a token will force the bot to only make two requests instead of one. The first for the token, the second for the voice. - PashaPash ♦
- That's why I wrote that "not much help." - user31688
- I understand, just the topicaster was already configured to use tokens when asked a question. I did not want to give him false hope :-) - PashaPash ♦
- For what? Tokens help - they can only be requested and received by an authorized user, i.e. The "first after token" will get a naked form, without a token. But they are not cheat protection, where an authorized user himself may want to cheat. - user31688
- I have never seen a voting system that requires authorization but at the same time allows one user to vote an unlimited number of times. Or which requires authorization, but does not check the authorization cookie at the time of the vote count. - PashaPash ♦
|
No, if only because all methods are hacked very easily:
1. Filter by IP: Start the bot via TOP - new request, new IP;
2. Filter by token: the bot will just make two requests;
3. Captcha: Depends on complexity, simple is chosen with a bang, complex is bad for usability.
So you can only use all three methods in the hope that the cheater will not process them all. Also, as a complication, I can offer an option that is very similar to tokens.
When entering the page, a session is generated, in the session you generate a unique ID (you can simply increase by 1 from the previous one). When requested without a session, to return that the voice was successfully sent, but in fact not to send it. When requesting a session, check the ID, if there was a vote from it, if there was, then return an error.
But this is only a light masking of work with tokens.
Lexd5 Lexd5
130 2 12
- "Filter by token: the bot will just make two requests" - how to understand it ?? - cmd
- 2The first request for obtaining a token, the second request is already voting with a token. - Lexd5
|
The answer "in a global sense" has already been given - NO .
Judging by the strange answers, not everyone understands this simple truth. Or rather understand, but somehow not until the end. The result is meaningless answers like "Tokens do not help, but here's how to implement them ...".
If we talk about the protection of the vote, then there are only two strategies:
- Or, in general, there is no way to specifically defend oneself, just put a cookie for the convenience of those who have already voted, and then cut the twists on the logs.
- Or to enter already heavy artillery like kapchas SMS voting.
The middle is important to understand - does not exist. All these games in totes with tokens and IP will not at all complicate botovodov, but only complicate their catching.
Ipatiev Ipatiev
16.8k 3 17 44
|
Googling rekapcha comes to my mind. According to my logs, I have repeatedly seen that it cuts off some "harmful" visitors.
anj1817 anj1817
575 one 9 32
|
The most convenient way for both the webmaster and the user to distinguish a person from a bot is to do something like a hidden field in the form for sending a request filled in by javascript. To fake such a request, you need a full-featured browser.
Unfortunately, bots capable of emulating javascript and an advanced image from the browser themselves are also sometimes found. From them, this method will not save. As an option to deal with such comrades, you can tighten the restrictions on sending from one IP address and block proxies that are hanging in the blacklist of IP addresses, matching the time zone with the IP address, matching its IP address reported by plugins, matching the IP address of the DNS -y ... But even all this can be bypassed. Unfortunately, there is no universal protection.
Even the CAPTCHA will not completely save you - even the most complex captcha can be deciphered by a Chinese man for a quarter of a cent =)
Another thing is that if your resource is not very popular, then it’s likely that even tamers with bots that emulate a browser will not wander to it. So, excessive paranoia is also useless.
Mints97 Mints97
268 2 eight
|
If you have a loyal audience that performs some actions on the site, then you can take into account the voices of different people with different weights.
For example, on IMDB, the voice of the newly registered will be less than the voice of the old user with a similar human activity during the year. It's harder to get around than tokens and IP.
luchaninov luchaninov
773 one eight 21
|