I am building a voting system and would like to know every single way that I can keep people from voting more then once. The problem is that the person im doing this for does NOT want users to have to sign up, wait for a confirmation email or anything. I explained to him a few times that this was a terrible idea and it could be so much more secure if they had to sign up with a working email...

any way now I want to know any way to do this. I know it is impossible to do perfectly.

all i can think of is:
cookie check
ip check
the letters hidden in an image(protect from bots)


thanks
-ILLINI

If someone wants to, they can bypass any method of authentication and appear to be a different visitor.

Consider this - Authentication can be used to identify someone who wants to be identified. He does this by providing a piece of information that only you and he knows. So long as the piece of identifying information has been kept secure, then you know who a visitor is when he provides that piece of information. In the case of an ecommerce site, a login in/cookie tells you who the visitor is.

If a visitor does not want you to know who he is, all he needs to do is change, delete, or withhold the piece of identifying information. It all depends on how much work the visitor is willing to go to in order to appear as a different visitor.

For the following common methods of identifying a visitor, I list the common method of bypassing that form of identification.

Login via user/password that was verified through email confirmation. All a person needs to do is go get a different free email address and sign up again in order to vote.

Normal Cookie or a cookie based session. All a person needs to do is delete the corresponding cookie.

IP address. All a person needs to do is get a new IP address (renew his DHCP lease - just cycle the power on his DSL/Cable modem) or go through a different proxy each time he wants to vote. Note, because a majority of the people on the planet have dynamic IP addresses and all the people behind any router (such as in a corporation or school) share the same IP address, you cannot use the IP address by itself for authentication purposes.

Putting a CAPTCHA verification image on a form only helps to prevent automated form submission. If someone wants to vote more than once, he is probably willing to manually type the verification string more than once.

So, use a combination of the methods that you think most of the visitors won't go through the trouble of bypassing.

If you don't use CAPTCHA verification, you could attempt to do some trending on the votes to help detect automated submissions. If you get several in a very short time frame or you get a continuous stream, it is probably coming from an automated source.

Edit: As I have probably posted elsewhere here, all of the HTTP_xxxxx values are sent as headers with the request to the web server. They are all optional and all can be set to any value. You cannot rely on them being present for any visitor (different browsers send and don't send them) and you cannot rely on the value (a script can change the value on each visit.)