Hi all,

I have a website that allows users to vote once every hour and I've run into a weird issue.

When a user votes for a listing their IP is collected and stored along with the time of the vote. An hour later they are able to vote again. This has been working perfectly for months.

My traffic is growing rapidly and I'm seeing more and more visitors vote by the day - but it's blocking people from voting who haven't voted in ages! (Including myself - frequently).

I'm using $_SERVER['REMOTE_ADDR']; to detect the visitors IP; but I'm led to believe that this cannot be trusted?

I've done some brainstoring and I think the use of cloudflare CDN might be the issue? What do you think?

Are there alternative methods to identifying the visitors uniquely?


4 Years
Discussion Span
Last Post by Atli


No, the user's IP address is a very untrustworthy way to identify users. There are two main reasons for that:

First, because in many cases a single public IP address will cover a lot of users. For example, schools and other organizations will usually only have a single public IP for all the users in their network. This is also true for home networks, where a group of computers will sit behind a single router. If one member of such a network votes, the IP will be recorded and all members of that network will be blocked for the duration.

The second reason is the ease with which you can bypass IP restrictions. There are plenty of public, free and anonymous proxy services that allow anybody to connect to your site repeatedly, each time with a different IP. It is easy to skew the vote in whichever way you want if the only limitation is the user's IP. (And there are even more methods available for this, at a lower level, for skilled IT people, though I'll not go into that here.)

The bottom line is: IP addresses are not reliable identifiers. They should be treated just as another user-supplied input value as far as such matters are concerned: with great suspicion.

The only half way decent method of tracking and limiting user actions this way is by using user registration, and limiting users by verifying email addresses or (if possible) some other, more personalized information. Even so, such methods are not guarenteed to stop determined people. After all, new email accounts are easy to come by.

The very way in which the internet is built makes it extremely hard to positively identify users.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.