Once only authentication, then blockout

[StuH]

Hi,

I need to develop a once-only voting system using ASP. I have a voting script that stops users voting from the same computer, via IP and/or cookie, but that does not stop the same person voting multiple times from multple computers.

Therefore, what I'd like is a front-end sign-on screen and provide all (known) users their own unique username/password or just a unique password with a one-time validity only. Once they get past the first sign-on challenge, they are passed onto the voting screen where their vote is anonymous. Of course, unknown passwords should be rejected.

Then, if they try to sign on again with the same password, it tells them they have already voted. The administrator should be able to also see who has not voted.

Any assistance appreciated.

Stu.

 

[damber]

How do you assign the username and password ? Is this an intranet app, or an internet app ? What else does your system do.. just this single vote or is this a feature of a larger application?



A smile is worth a thousand kind words. So smile, it's easy!

 

[DotNetGnat]

i dont think you can be successful at achieving this if it is an internet application...because there are numerous ways that a single person can try to vote multiple times

Intranet...can do...

-DNG

 

[damber]

My thoughts exactly DNG - I think there are ways of achieving it (to differing degrees) through the internet, but they're no where near as easy as an intranet app.

The internet based solution (for a *relatively* secure voting system) would involve a one time key delivered to the 'real person' via formal channels - e.g. through snail-mail based on the electoral register (kind of like the online voting being tested at the moment by some countries) - though it has to be based on a special unique key plus important identifying information for that person (e.g. social security number etc) - making it very difficult to vote more than once. Though it is unlikely that a standard site would have access to this sort of information to be able to validate and ensure unique votes to this level.

If it doesn't need to be water tight, then just use the user id you use for your application (which should be registered against a unique email address) and register that they have 'voted' - if you have multiple polls add this to a separate table. People can still create multiple accounts, but it depends what they are voting on..... not many people can be bothered to create lots of accounts when voting on a simple poll - like "which programming language do you prefer?" etc.

Either way, it is very difficult to make this 'flawless' - just do a search on 'internet voting' and you'll see lots of discussions about the challenges - even the governments best technical minds are having difficulty achieving this.

Let us know which it is.

A smile is worth a thousand kind words. So smile, it's easy!

 

[StuH]

Sorry, more info.

It is for an Intranet app (multiple campuses within one intranet).

The idea is to email a password to each person who is to vote, together with the intranet URL. When they click the link, they are asked for a password. All passwords are in a database linked to the ASP.

If a password is entered that does not match one in the database, access is rejected. If it matches with one, the user is allowed on to the vote form, but the database has a flag set against that record to say the user has signed in. I would expect the database would have fields such as User ID, password, flag.

When the user is passed onto the voting form, they can choose not to vote (abstain), or cast a vote as desired. The vote should be recorded, but there should be no record of who made particular votes.

From then, if the user tries to use the same password again, they are rejected with a note to say they already voted.

The admin component needs to be able to interrogate the database to see who has signed in to vote, and who hasn't, so those people that haven't can be chased up.

The user passwords should be significantly different to avoid "guessability". i.e. not just an incremented number.

Thanks,

Stu.

 

[damber]

Sounds like a plan... so what exactly do you want assistance with ?



A smile is worth a thousand kind words. So smile, it's easy!

 

[StuH]

Hi Damber,

I was hoping I wasn't the first person to think of this and someone already had a script that did it, or something similar. I have the voting side modified from elsewhere, but need the custom-authentication side and was hoping not to have to do it from scratch.

You see I'm one of these wretched VB6 programmers "tinkering" with ASP.

Thanks,

Stu.

 

[johnwm]

If you're a VB6 programmer you will be familiar with the CryptoAPI. Just generate MD5 hash from their username (or other details) and use the last 10 characters as a password. Do a search on forum222 for examples

________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[StuH]

Thanks johnwm,

Generating the passwords I can do. It's more the authentication database/ASP that I was hoping already existed somewhere.

I'm starting work on it from scratch. Will post if I need help. Thanks all.