ASP.NET preventing a user from successive logins - asp.net

I'm working on a web-based academical evaluation project (VS2010,C#,ASP.NET). Users can enter the web site and evaluate personnel of a company (or the company managers). Then my clients (company owners) should be able to view results of the evaluation (appraisal). As this process involves people and there is always risk of re-voting by some users, I'm searching for ways to minimize number of re-evaluations by similar users, i.e. I'm going to prevent a user from voting for more than once as it can hugely affect results of the appraisal process, I'm asking user about his name, surname and national ID; I'll store these data in my database, and the next time a user trying to login with the same data will get a warning, but anyone can change his data and vote for several times! Also I save user IP and will check it on later logins but it can also be faked easily! what else can I do? using cookies? sessions? how should I technically prevent users can from voting for several times?
thanks

You can't avoid it but can minimize it. Take a look at this similar question/answers:
multiple voting.
Hunting Cheaters.
Prevent Users from Voting Multiple times

Related

How to show how many people have viewed a post

I have a BBS forum, I just wondered how to count the views of a post?
I need to consider of both registered users and visitors.
I was thinking of counting IPs, but many users or visitors might come from a same IP. Then I am thinking of counting GA (as Google states every _ga lasts for 2 years).
I searched for a while, but have not found any examples.
Your question is too broad, but generally speaking, you'll need some sort of middleware to run as part of the request pipeline and update some data store. If you're looking to discount multiple views by the same individual, then you'll need some sort of discriminator. That's where something like IP address would come in, but as you've mentioned it's not perfect and could end up lumping multiple people into one unit. The best approach is to set an identifier via a cookie, much as GA does with their tracking cookies. That identifier could be anything; it should just be unique for the cookie. Guid.NewGuid() should suffice. Then, you simply record this with the record of the view, and before saving a new record of a view, check for a record with that cookie value, first, if present.
A few things to bear in mind:
Instead of updating a single ViewCount column or something, you should track this in an external table that records the URL that was visited and any discriminating info such as the tracking cookie identifier. When you need to get a full count of views, just aggregate the count from this table. That will remove most of your concurrency worries. Otherwise, you'd have to gate writes to the ViewCount prop, or whatever, which will create choke point for your application.
Even a tracking cookie isn't perfect. For one, it will be device-specific, so the same user will be counted if they visit from both a desktop and mobile device, or even just multiple browsers on the same device. However, there's really not a better option here. If you do have an actual logged in user to work with, you can use that as a potential discriminator to get more exact counts, but of course, you still need a fallback option for anonymous users.

Is it possible for an Alfresco workflow to be used for "anonymous planning poker"?

We're investigating Alfresco for doing wideband delphi ("planning poker") based on submitted statements of work (collected user stories). I've been reading through the Alfresco documentation, and there are two questions that I haven't been able to get clear answers to:
Can we set it up so users can write, but not read, to a folder or node? (To support "anonymous" planning, without users knowing what the other users submitted estimates were)
Can workflow tasks be implemented to ask users to comment or submit items to a node or director with the above model, rather than just simple approve or deny?
Workflow:
User submits a statement of work
All users (or selected users at random, or ... ) in group get notice to review
Reviews include estimates on the overall SOW or specific phases
Reviews are anonymous/secret to all but the manager
Have you implemented something similar in Alfresco with fine grained access control? Sharing your experience would be very helpful... i'm not looking for someone to do the work for me, just to confirm it can be done.
I would use some kind of parallel workflow for this.
First the managers starts the workflow and the task type of this first node will have additional info about the user story and such, then the manager selects a people or a group to which it will send this user story.
Here comes the parallel thing into play. Because it's parallel noone sees the results of the other members of the workflow. The members fill in the requested fields (another custom task type with data like: score (estimate) and maybe explanation.
Before the workflow goes back to manager the automatic calculations are made in a non-user task/node where you calculate overall score for the story. You can include each individual user and their score in the result/report if necessary.
Now the results are sent to the manager.

Counting anonymous votes accurately

I'm building a small application that highly depends on anonymous user voting on some sort of items. It's so small that requiring registration would be tedious and could not be justified.
Anyway, I did some research on this, including a search here on stackoverflow (https://stackoverflow.com/search?q=anonymous+votes), and doesn't seem that there's a satisfying answer.
My question is: are there any security measures that I can apply to prevent gaming anonymous votes?
One thing comes to mind is CAPTCHA, but I'd like to avoid that since users will vote on multiple items in a very short period of time, and CAPTCHAs will just annoy them.
Another thing I thought of is limiting the number of votes per minutes from a single IP (in addition to a cookie), but not sure how this is going to work.
Any thoughts?
There are a few ways I've seen work:
Email registration : you get their email, they need to confirm their vote. The combination of their IP + email makes a unique record that they can't then use to vote again (for the same poll).
Captcha : without having additional checks (IP, etc), it's easy enough for a team of monkeys to successfully enter a lot of captchas.
Site Registration : without account creation level limits (e.g. a non-free email account required for signing up) people can just create multiple accounts.
Depending on how you weigh up the cost of getting users to vote vs making sure their votes are for them and them alone, you can use a different level of vote-spam-protection.
You can use the CAPTCHA once to both confirm the vote and create a session with the IP and cookie.
Any time you are dealing with anonymous voting you are going to have an imperfect solution but you can shoot for "pretty good". Consider dropping a cookie on the client computer to prevent multiple/frequent voting and back this up by performing server side IP tracking to do the same. Do not allow anyone to vote that has cookies blocked.
Of course, if you require complete accuracy or if the voting involves awarding of something of monetary value, registration is really the way to go.

Simplest way to count visits ASP.NET web app?

What is the simplest way to count # of visits by a user in an ASP.NET web app?
Our app services anonymous users, registered users and an intermediate user, called a "prospect". Prospects are users that request information but do not create an account.
We leave an ID cookie for every type of user, and that's the key into our database for visit information.
Prospects never "sign in" per se, but we still want to count those visits. We also want to count member visits, even when they don't sign in.
I am thinking of storing the ASP.NET Session cookie and then incrementing our counter every time the session cookie changes.
Anyone out there already solve this, or have any suggestions?
PS: We are ASP.NET 1.1
Refinement: We want this data in our app's database, so Google Analytics is not a reasonable solutions for this...and we are using Google Analytics.
Use Google Analytics. You can specify "goals" and "funnels" that lead to these goals quite easily.
Since you're using 1.1... in the Global.aspx... in the App_EndRequest (or whatever), insert a record into a DB with Name, IPAddress, timestamp, etc.
EDIT: Don't do the session thingy, sessions can be cleared, plus how will you report on them days, or weeks later... insert a record (including the Request.Url.Path if you'd like to have those kinds of stats).
Because it's on the EndRequest method, it's pretty safe even if there is some sort of glitch... also, performance won't matter as the user has gotten his page sent to him already.
We leave an ID cookie for every type of user, and that's the key into our database for visit information
Sounds to me like you already have a counter, you just need to figure out a way to make this data useful.
SELECT COUNT(1) FROM TblUsers WHERE UserType = 'Prospect' AND DateRange Between....

Is there a reliable way to prevent cheating in a web based contest where anonymous users can vote?

I'm working on a web-based contest which is supposed to allow anonymous users to vote, but we want to prevent them from voting more than once. IP based limits can be bypassed with anonymous proxies, users can clear cookies, etc. It's possible to use a Silverlight application, which would have access to isolated storage, but users can still clear that.
I don't think it's possible to do this without some joker voting himself up with a bot or something. Got an idea?
The short answer is: no. The longer answer is: but you can make it arbitrarily difficult. What I would do:
Voting requires solving a captcha (to avoid as much as possible automated voting). To be even more effective I would recommend to have prepared multiple types of simple captchas (like "pick the photo with the cat", "what is 2+2", "type in the word", etc) and rotate them both by the time of the day and by IP, which should make automatic systems ineffective (ie if somebody using IP A creates a bot to solve the captcha, this will become useless the next day or if s/he distributes it onto other computers/uses proxies)
When filtering by IP you should be careful to consider situations where multiple hosts are behind one public IP (AFAIK AOL proxies all of their customers through a few IPs - so such a limitation would effectively ban AOL users). Also, many proxies send along headers pointing to the original IP (like X-Forwarded-For), so you can take a look at that too.
Finally, using something like FSO (Flash Shared Objects - "Flash cookies") is obscure enough for 99.99% of the people not to know about. Silverlight is even more obscure. To be even sneakier, you could buy an other domain and set the FSO from that domain (so, if the user is looking for FSO's set by your domain, they won't see any)
None of these methods is 100%, but hopefully combined they give you the level of assurance you need. If you want to take this a level higher, you need to add some kind of user registration (which can be as simple as asking a valid e-mail address when the vote occurs and sending a confirmation link to the given address and not counting the votes for which the link wasn't clicked - so it doesn't need to be a full-fledged "create an account with username / password / firs name / last name / etc").
No, you can't, and it only takes one person and a willing forum to change the outcome of an online vote.
You have to realize the inherent flaws of an online vote and rather than attempting to get around them try to use them to your advantage.
-Adam
You can certainly make it difficult.
What about building a user profile with such things as ip address, browser useragent, machine name, and whatever other information you can get.
Store the profile for each user, then if you receive a profile which is similar enough to one already in the database (you'll have to tweak that) you can throw out that vote.
I imagine you can probably build a better profile using silverlight, though I'm not sure what information that gives you access to.
Client-side solutions are out for the reasons you listed -- they can be manipulated by the user. Server-side solutions -- as you said -- can be fooled and bypassed.
If you're willing to accept the fact that you can't really be 100% sure that you're getting exactly one vote per person, then there are some measures you can take to reduce the noise.
Use a CAPTCHA in your vote-submission form to make it harder for bots and scripts to vote.
Limit the number of votes per IP address to one.
Consider requiring registration in order to vote. (I know this defeats part of your original question, but it gives you a greater degree of control over the voting.)
That's a good start.
my personal experience in contest developing and monitoring tells me that no, there is no reliable way to avoid cheating if you let anonymous users vote (or do anything that lets them participate in the contest).
you could play with IP, introduce delays between an action and the next, but it's really difficult: the best way is introduce a captcha or something similar, if applicable in your particular situation.
best of all, don't let anonymous users participate: let them "play" and access to a simulation, but the contest needs a login.
Nope, it's the user's computer and they're in control.
Unfortunately the only solution is to bring it back on your court so to speak and require authentication.
However, a CAPTCHA helps limit the votes to human users at least.
Of course even with authentication you can't enforce single voting because then they teach the bots to register...
I have to agree that the short answer is no...though if you look at my recent answer here: How to anonymously identify a user and store that information you certainly can get it within a 6 percent margin of error.

Resources