Designing a Django voting system without using accounts

Question

We are considering implementing a voting system (up, down votes) without using any type of credentials--no app accounts nor OpenID or anything of that sort.

Concerns in order:

1. Prevent robot votes
2. Allow individuals under a NAT to vote without overriding/invalidating someone else's vote
3. Preventing (or, at the very least making very difficult for) users to vote more than once

My questions:

1. If you've implemented something similar, any tips?
2. Any concerns that perhaps I'm overlooking?
3. Any tools that I should perhaps look into?

If you have any questions that would help for you in forming an answer to any of these questions, please ask in the comments!

Answer 1

To address your concerns:

1: a simple Captcha would probably do the trick, if you google "django captcha", there are a bunch of plugins. I've never used them myself, so I can't say which is the best.

2 & 3: Using Django's sessions addresses both of these problems - with it you could save a cookie on the user's browser to indicate that the person has already voted. This obviously allows people to vote via different browsers or by clearing their cache, so it depends on how important it is that people not be allowed to vote twice. I would imagine that only a small percentage of people would actually think to try clearing their cache, though. As far as I know the only other way to limit users without a sign-in process would be to test IP addresses, but that would violate your second criteria since people on the same network will show up as having the same IP address.

If you don't want multiple votes to be as simple as deleting browser cookies, you could also allow facebook or twitter login - the django-socialregistration plugin is pretty well documented and straightforward to implement.

Hope that helps!

Answer 2

Recaptcha is an excellent choice. For Django, here's the one that I've had the most success with, which actually uses images loaded from Recaptcha (as opposed to local images generated on the fly):

http://pypi.python.org/pypi/recaptcha-client#downloads

Instructions for installation are in this snippet:

http://djangosnippets.org/snippets/433/

If Recaptcha is a bit unwieldy for what you're doing, I've heard of people implementing a form that loads with a hidden input containing a timestamp value, corresponding to when the form was loaded. Then, when the form is submitted, generate a new timestamp and get the difference between the two. If the difference in seconds is below a certain threshold that's unreasonable for a human visitor, chances are you have a bot. This works for contact forms with several fields...it usually takes a person more than 10 seconds to fill them out.

I can't speak to how effective this technique actually is in production....a lot of these spam bots these days are smarter than I am. But it might be something you'd consider looking into or testing.