We have website with articles users can vote for. What is the recommended method of limiting votes?
There are so many sites that have voting implemented that I know some possible solutions but I guess that is some basic bulletproof recommended method based on sessions, IPs, time limit, etc.
What is the best way to send votes from browser? Basic GET/POST or AJAX request? Is it necessary to use some pregenerated request-id?
Update: We cannot use user registration.
[...] bulletproof [...]
Impossible.
Limiting by account will help - IP addresses are far to dynamic and easily changeable to be remotely "secure". You then of course have to limit account creation, again, difficult..
Stackoverflow does it quite nicely (there was blog-entry about this recently, "New Question / Answer Rate Limits") - basically have accounts where you have to actively participate for a while before you can vote. Then you are rate-limited (by account) until you've participated for a bit longer. Then the limits are removed, so you don't annoy more active (more trusted) users.
If you just want to prevent causal, "accidental" voting, limit by cookie, and possibly also by IP (bearing in mind more than one user can be behind a single IP).. If you want to try and prevent abuse, require accounts which you can't just click "signup" for (or rather, one you cannot write a "click signup 2000 times"-script for), although this isn't always possible (or practical)
The best way of preventing duplicate posts is having only signed in users vote. That way you can store their vote in some data storage (DB).
If you want to allow for users to vote anonymously, use the browser session.
The downside of this is that they can just close/reopen the browser and revote.
I would not recommend using IP for restricting votes, since many users can be behind a proxy, so it will look like they have the same IP. If one of those users vote, the others could not vote anymore.
This may help for your bulletprof recommendation request : Content Voting Database and Application Design
There's no bulletproof solution unless you require some serious (banking level) authentication. That said, the basic solution is to use sessions (cookies). IP limiting is a very bad idea (for example I'm sharing an IP with about 20 other people).
Use authenticated users
Don't block IP
Don't verify votes by cookies
Try to use captcha if same IP is voting multiple times with different accounts
If you want to allow non authenticated users, then you're sure to have to use captcha to avoid bots. But still i think that the best is to allow vote to authenticated users only.
You can make something like, a user younger than 1h/2h can't vote to avoid bots creating accounts and feeding votes.
The best approach should be by user_id, one user can only vote one time on each challenge, each challenge should have an unique ID.
Allow new users to register.
Check if user is authenticated.
Check if user already voted in challenge ID, before creating a new vote.
Related
I want an admin account to send an announcement to all users in the db.
Right now for my Message table I am storing a message every time for user to user messages with senderId and receiverId etc.
My problem is can I treat announcement the same way as user to user messages and if yes, would it be wise to save into the message table n times for n number of users in the db every time there is an announcement?
So I want to see if there are cleaner approach to this.
It depends on how much time/effort you want to invest in this.
Separate table for announcements: You won't be able to reuse your current messaging system, but you will have maximum flexibility (special GUI features for announcements, they won't get mixed up with normal messages, etc.)
Modify your current messaging system to support multi-recipient and/or broadcast messages. With this you can reuse most of your current GUI with some backend modifications.
Do the simplest possible thing and send a message to everyone. This is very easy to implement. The obvious downside is that you will have a lot of copied messages in your DB, which may or may not be a problem.
Our client would like the user table to be separated from all other tables for "security reasons". Is this a good practice given that our application is built using RoR and MySQL and running on Unicorn and Nginx ?
I can think of two possible ways:
Create two different login accounts, one for the user table and one for the other tables.
OR
Have a separate database for the user data.
I think that both the solutions might create some problems with the migrations and other tasks and I don't know if this is an effective method of protecting user data. I am a junior developer and I am not familiar with some database and security concepts. Any suggestion?
A very common pattern is to have the users table literally just contain details of the user account and NO details of the actual person behind that account. ie, it would have username, email, password, or encrypted password & salt or whatever, but nothing else - not even name. So, all the "glue" that makes the system work stays in the users table in your regular database.
Then, the details of the real person behind the account (name, telephone number, address, card details etc etc) are stored in a different table, or tables, with a foreign key in either table pointing into the other one. You could store them in a different database but i don't know if this makes it more secure. A better way might be to encrypt just the table with the user's personal data, or perhaps encrypt the entire database. see
http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/
I get the feeling that your client doesn't know a lot about internet security and just needs to be reassured that some hacker isn't going to put all the customers' credit card details online, as has happened in several high profile cases recently. To satisfy them i would recommend that you research this well and implement at least two different security strategies, each of which on their own would be considered adequate.
Reassuring the client didn't work as this was an acceptance criteria for launch. In the end, I created two separate database with separate login credentials and user permissions. In order to manage multiple database migrations, I initially used multi-database-migrations gem and then customised it into my own gem.
I was new to SO when I posted this question (still am) and I now understand that the topic is too wide to be asked in a single SO question. Thanks for the suggestions anyway and I hope that the answer can help other people.
I am building a small e-mail like messaging app for a project, where a user would send out a message to another with information like meeting times and such, and I'm wondering about how to store all the messages exchanged.
My issues are:
Should I store all messages between all users in one database table (where it would be expensive to get the messages of each user when they log in)? Or should each user have a personal table for his/her messages(would have too many tables)?
I also need to store the events that the user accepts. Again, should these be in one table for all users or a separate table for each (I need to retrieve these quite often)?
I've searched on the site for other similar questions but most seem to focus on real-time messaging or on specific implementation technologies.
Thanks for the help!
A table per user is a bad idea. It means every query will be different and for every new user you will need to modify the database. This is hard to build, hard to maintain, and inefficient for your database too.
So, just store it in one table. A couple of millions of rows won't be a problem if you have proper indexes (and proper hardware).
If you fear for bad performance, you may delete very old messages. Or you can move them to an 'archive' table. If a user wants to view recent messages (of the past year or so), they can get it from the normal table, and older messages can be fetched from the other one. It's usually acceptable that digging into the archives is a bit slower, so it's probably okay if that table grows very large.
That said, you already mentioned e-mail. I'd seriously consider inspecting the possibilities of actual e-mail and the post boxes that come with it. There are many existing implementations, and it's a powerful protocol that has survived since the dawn of the internet, so maybe you shouldn't reinvent the wheel.
E-mail can have headers (custom headers too), and multiple parts, so even if a 'normal' e-mail won't suffice, you can still use e-mail as a transport layer for custom types of messages.
I have just started getting my hands dirty with building IM applications with ejabberd XMPP server and I have a requirement to allow one user account to login simultaneously from multiple devices and be able to follow conversations on all their logged in devices much like what gives in Skype, FB.
Is this possible with ejabberd out of the box or are there any further customizations one has to do?
Any pointers I can get woild be helpful. The body of knowledge out there is quite huge and knowing where to start looking has been quite daunting.
Yes, connecting from multiple devices at once is part of the XMPP standard. In a JID, the "resource" portion (e.g.: the part after the slash in jome#stackoverflow.com/desktop) is unique to a single connection and users may have many resources. So the resource could be your MAC or some unique device ID.
Vanilla XMPP allows users to specify priorities with each resource, and messages are routed to the highest-priority resource present. To follow a conversation across all resources at once, you need to enable XEP-0280.
Some websites we're running have been audited for security issues and one problem is that we don't protect authentification forms against brute force.
It has been decided that we would implement a CAPTCHA system after several wrong auth attempts.
The problem I'm dugging now is finding on what criteria we could identify unique visitors.
Since our users are often grouped behind the same IP address, this criteria won't be enough.
Cookies can be desactivated. I read somewhere in here an advice to use user agent and / or some keys from the HTTP request headers but I guess a trained hacker would generate new ones as he tries to brute force our websites.
Seeing that the conversion rates isn't an argument for our web site, what is the best pratice to identify unique visitors?
Thanks for your help!