Hi Henk, I gave this subject a long thought and more or less concluded that preventing misuse is quite hard using a cookie-based poll. It all comes down to the (im)possibility of detecting whether a user has cookies-accept option turned off. I did design a cookie-based poll that works with two cookies. One cookie is placed before the answer button is pressed by the user. If this first cookie is not detected when we process the answer, than the user is either a scriptkiddie or someone who turned off the accept-cookie option. In either case we don't count the vote, give this feedback to the user and ask him to stop blocking cookies and refresh the page, so he can receive the detection cookie. This, however, is merely a way to make misuse (a lot) less easy and is not watertight: End users can turn on cookie-blocking cookies just before pressing the vote. In this case, he will not receive the already-voted cookie but cookies that have been placed earlier will be sent anyway and thus the user can continue pressing the vote button. I can give you the TO piece of this poll, in a couple of weeks I could give you the code as well since it is being built right now at Kennisnet.
The impossibility of building a watertight accept cookie detection lies in the impossibility to place a cookie on the response and detect this cookie during the same request (there is no such method like response.getCookie(), cookies have to land on the browser first :). Thus, the detection can only be done on the next request cq. user click, which gives the end-user time to tamper with his cookie options. There might be a possibility to make a sound detection using client-side redirecting (response.sendRedirect()). I did not look into this. I also would be interested if anyone has a more secure poll (not IP-based). Regards, Peter > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Namens Henk Hangyi > Verzonden: woensdag 31 maart 2004 15:12 > Aan: [EMAIL PROTECTED] > Onderwerp: Script kiddies and the MMBase poll > > > Hi, > > Did somebody already develop or integrate something to > prevent script kiddies from misusing applications like the > poll (See http://www.mmbase.org/packages)? > > Thanks in advance. > > Regards, Henk. > > MMatch / MMbase consultancy and implementation > Hommelstraat 9A > NL-3061 VA Rotterdam > T. +31-(0)6-29054903 > E. [EMAIL PROTECTED] > I. http://www.mmatch.nl > > >
