Problem with cookies in poll script

From: Mike Trozzo (root_at_localhost.com)
Date: 11/08/03 

Date: Sat, 8 Nov 2003 23:40:02 +0100

Hi all,

As the subject indicates, I wrote a poll script. (I know there are a lot of
scripts out there already, but I felt it to be better to learn by doing the
whole thing myself) It uses a combination of IP logging and cookies to try
to prevent ballot stuffing. I have a page called vote1.php that simply
displays the pictures of the candidates to be voted on, and of course the
form whose action goes to vote2.php. When vote2 executes, it first checks
to make sure that the person made a vote and didn't just click "Submit"
without making a choice. This works like a charm; so far, so good.

My problem is this: When the script checks that someone with that IP
address has voted in the current month, or if the cookie exists (which
expires at the end of the month), it's supposed to bring up a screen saying
that you're only allowed one vote per month. When the IP/month combination
has a match, everything happens as it should. However, even when the valid
cookie is there, it calculates a vote. I tested it by taking out the code
that checks IP/month, and it keeps going through as if there is no cookie.

Can anyone point me to the error of my ways? Also, what are good ways to
further tighten things up so that a visitor can't:
1. vote
2. delete the cookie
3. disconnect/reconnect to the ISP generating a new IP
4. vote again?

I pasted the relevant bits of code below.

Thanks,
Mike Trozzo

<?php
// generate month, year strings for cookie and IP/month comparisons
if(!$Month || !$Year) {
 $Month = date("m");
 $Year = date("Y");
 }

// db connect info snipped for obvious reasons

$link = mysql_connect($host, $user, $password) or die("failure to connect");

$ip = $REMOTE_ADDR; // get IP address
$rightnow = date("d-m-Y H:i:s");
$monthcheck = "false";

// insert vote into db
$query1 = "INSERT into $table_v values('0', '$test1', '$ip', '$rightnow')";

// count votes for each dog
$query3 = "SELECT d.id, v.dog_id, IFNULL(count(v.dog_id),0) voted
 FROM $table_d d LEFT JOIN $table_v v ON (v.dog_id=d.id)
 WHERE month=MONTH(now())
 AND year=YEAR(now())
 GROUP BY d.id";

// count total number of votes for the current month
$query4 = "SELECT count(*) cnt from $table_v v, $table_d d
 WHERE v.dog_id=d.id
 AND month=MONTH(now())
 AND year=YEAR(now())";

//checks IP against database
$query5 = "SELECT *
 FROM $table_v
 WHERE IP ='$ip'";
 $result5 = mysql_db_query($dbname, $query5, $link) or die("Query5 failed");

// added in case someone has the same IP address but hasn't voted in the
month (ex: someone w/static IP)
while($row5=mysql_fetch_array($result5))
 {
  $m = substr($row5[votedate], 3, 2);
  $y = substr($row5[votedate], 6, 4);
  if(($m == $Month) && ($y == $Year))
  {
   $monthcheck = "true";
   mysql_data_seek($result5, 0);
   break;
  }
 }

if($test1 == 0) // user didn't make a selection
{
    ... // Tell user to go back and make a choice; works fine
 }

// If either 1: IP matches AND the vote is in the current month (likely
meaning voter deleted the cookie)
// or 2: the cookie exists
elseif((($row5=mysql_fetch_array($result5))&&($monthcheck == "true")) ||
(isset($_COOKIE['VoteDate'])))
//elseif(isset($_COOKIE['VoteDate'])) // testing the cookie by itself
 {
    ... // Tells the user that he can only vote 1x a month; works on the
IP/month check but not the cookie check
 }

elseif(!isset($_COOKIE['VoteDate']))
 {
      setcookie("VoteDate",$Month,mktime(0, 0, 0, $Month+1, 0,
$Year),"","","") or die(print("cookie not set"));

      ... // thanks the user for the vote, generate current results (works
fine)
 }
?>
[...]

Relevant Pages

  • IE dot bug - Sandblad advisory #7
    ... Initially reported to Microsoft about the dot bug vulnerability. ... Microsoft released patch: ... Files in the cookie directory are not treated as beeing in the ... Remote webpage can script in local zone" ...
    (Bugtraq)
  • Re: E-mail Voting Security Q
    ... > voters affecting 10% to 15% of the vote. ... favour of us email voting with NO security in place. ... I am thinking the webpage voting with cookie should be adequate. ...
    (comp.security.misc)
  • Re: Parameter quires in Data access pages
    ... script code from the DAP that writes the cookie to the PC: ... This is the script that reads, writes, and deletes cookies on the PC: ... button on the DAP, and then navigates to the "show me" DAP: ... <MS ACCESS MVP> ...
    (microsoft.public.access.dataaccess.pages)
  • Re: Parameter quires in Data access pages
    ... "Ken Snell (MVP)" wrote: ... script code from the DAP that writes the cookie to the PC: ... This is the script that reads, writes, and deletes cookies on the PC: ...
    (microsoft.public.access.dataaccess.pages)
  • [ANN] Pythonutils updates - approx, approxClientproxy, caseless etc
    ... approx.py is a Python CGI proxy. ... Whilst it is not as fully developed as that script it has ... Fixed bug in cookie sending. ...
    (comp.lang.python)