Voting security [needs update]

 IP + cookies + evercookie

Check:  voter IP and evercookie is recorded in the votes table. So if the voter uses a shared IP (like at university, company etc.) or tries voting again from the same browser, they might not be able to vote.
Effectiveness: Not extremely effective, but simple for users.


Check: browser cookies (with changing browser or using private tabs user can vote unlimited times [can be fixed just with using “Social authorization” or “Authorized user” Additional security]).
Effectiveness: very bad (without “Additional security” like “Social login” or “Authorized user”), but allows votes from shared IPs – like at university, company etc.

Additional security

 reCaptcha (reCaptcha key required)

Check: like above but user must match the reCaptcha every time when the vote button is clicked (or if saving reCaptcha session is enabled, the session is kept for 30 minutes).
Effectiveness: enough effective with IP checking, but not so comfortable for users and creates more server load (for every vote your site sends a reCaptcha request to Google).

 Subscribe form

Details: when the user makes their first vote, they will have to fill a subscribe form with name & email fields; after the form is submitted the data saves to user session and voting can start.
Check: is user already have “Subscribe session”. If yes- can vote, if no – will be shown “Subscribe” modal (if already subscribed – user can enter the same details as before and if Name & Email equals, voting will be allowed).
Effectiveness: Not very effective, but simple for users.

 Facebook Share (required FB app ID)

Details: when the vote is clicked, opens a Facebook sharing popup window with the current photo and the vote will be registered when they click Share.
Notes: a user must have a Facebook account.
Effectiveness: equals selected “Contest security type” (as any additional security check are not happened)
Usage details: rarely used, but can be useful if the voting frequency is once per all contest.

 Social login


  1. Voter clicks “Vote”
  2. A popup with allowed social networks shows up –
  3. User clicks on the network of their choice and allows access to their profile (First & last name & sometimes email)
  4. The data is sent to the server and saved in session
  5. Vote is registered

Allowed socials in version 2.3.0+: FB, Google, Vkontakte
Older versions have more networks but used external service has security vulnerabilities, so currently used self-hosted login.
: same as in Default + unique social user ID.
Notes: this does not create any account for the user, all data stored in PHP session.
Second login with the same account: in the second login with the same social account Permission request window doesn’t show.
Effectiveness: good.

 Simple Social login

 Authorized user

Check: browser cookies and user ID.
Requirements: the user must be logged in on the website else they can’t vote and will see a message like “You must be logged in to vote!”.
Usage details: useful if you want to motivate user registration on the site or of the most part of voters are already site members.
Effectiveness: pretty good (users can create many accounts to cheat on the votes though).

Last update 15/11/2018

Related Articles

Leave A Comment?