Persistent Cookies (ASP)
The Levi Strauss/Lilith Fair selects ten amateur bands and based upon a vote, invites some number of winners to play at the Fair, where a gig can be a stepping-stone to fame. For the ’98 Fair a web page – with links to each band’s music – was set up for voting.
Because of some worry about liability, and because of rumors that one or several bands had paid someone to stuff the ballot box, a simple session-based cookie security scheme caught folks who tried to vote twice in one browser session and threw up a “You’ve Already Voted” page. The Levi/Lilith staff were worried about the for-pay cheats, not schoolkids voting from a shared lab computer (votes they were willing to lose in the face of determined fraud).
I wasn’t happy about the adminition page, it just informs the miscreants that you’ve got a security mechanism in place and gives them a way to tell when they’ve defeated it. Not a good plan. I also wasn’t happy with the session-based cookie. Once you tell someone you’re detecting multiple votes its a rather unsophisticated step to quitting and restarting the browser. (And these are people who are getting paid to cheat.)
There was a plan to log IP addresses, but when I told the client that most folks get an IP address dynamically assigned when they dial up their Internet Service Provider (ISP) the plan got dropped.
My plan was two-fold: make the cookie persist until past the end of the voting period and always thank the user for the vote, even if I’ve detected the persistent cookie and tossed their vote into the bit bucket.
Here’s the code fragment that did the trick:
const Voted = “voted_already”
const WhichVote = “levis_lilith_98_bands”
if Request.Cookies(WhichVote) = Voted then
Response.Cookies(WhichVote) = Voted
Response.Cookies(WhichVote).Expires = “July 4, 1998”
(vote count code goes here)
1993-2006 by ,
via the Creative Commons License. Questions and comments? Send
to the Geek Times Webmaster. (Domain and web content hosting at .)