Closed Bug 766492 Opened 12 years ago Closed 9 years ago

"Like" button remembers users by user-agent string only, not by IP address

Categories

(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: jwkbugzilla, Unassigned)

References

()

Details

(Whiteboard: [triaged])

Steps to reproduce:

1. Go to https://developer.mozilla.org/en-US/demos/detail/the-planetarium/launch (make sure that you aren't logged in on MDN).
2. Click "Like It" button ("You Like is displayed).
3. Reconnect to the Internet to get a different IP address.
4. Go to https://developer.mozilla.org/en-US/demos/detail/the-planetarium/launch again.

Expected results:
The button says "Like It" again given that the choice for anonymous users is supposed to be remembered based on IP address and user agent (https://github.com/mozilla/kuma/blob/7eba73f58d/apps/actioncounters/utils.py#L43). Different IP address means a different user and no vote yet.

Actual results:
The button still says "You Like", apparently based solely on the user agent string. Indeed, if I fire up a current Chrome release I also see "You Like" - something else already voted with this user agent string.
Component: demos.mozilla.org → Demos
Product: Websites → Mozilla Developer Network
QA Contact: demos-mozilla-org → demos
Thanks for the report Wladimir.

Dev team: Are we using a cookie to determine whether someone already voted? If we are, we might want to consider using a combination of cookie and IP address so that a user cannot vote multiple times from multiple browsers as Wladimir explains.
Blocks: 756266
Component: Demos → Demo Studio / Dev Derby
Updating this bug to make it a bit more general.

Some people do try to generate artificially high "Like" counts on the Demo Studio, probably by exploiting issues like this and others similar to it. This makes the process of finding the best demos significantly more challenging for me when it comes time to judge.

We should really try to defend against spam like this.
Summary: "Like" button remembers users by user-agent string only, not by IP address → Protect against "Like" spam on the Demo Studio
(In reply to John Karahalis [:openjck] from comment #1)
> Thanks for the report Wladimir.
> 
> Dev team: Are we using a cookie to determine whether someone already voted?
> If we are, we might want to consider using a combination of cookie and IP
> address so that a user cannot vote multiple times from multiple browsers as
> Wladimir explains.

We don't use cookies; users can set & clear them, and so they can't be trusted. Currently, to try to make votes vaguely unique, we use a combination of IP and user agent for anonymous users. That implies a single anonymous user could switch browsers or locations and get another vote. Logged-in users have votes tied to user ID, which is much clearer.

(In reply to John Karahalis [:openjck] from comment #2)
> Some people do try to generate artificially high "Like" counts on the Demo
> Studio, probably by exploiting issues like this and others similar to it.
> This makes the process of finding the best demos significantly more
> challenging for me when it comes time to judge.

Do you have any specific examples where this has happened? That way we can look at the data and see what the vote-generation looked like in terms of the data.

> We should really try to defend against spam like this.

We are trying to defend against multiple votes, but while still allowing anonymous users to vote. That makes it hard to mount a perfect defense - suggestions welcome! (And I'm certainly not ruling out bugs in the current approach, either. I haven't looked at it in probably 2 years)

An alternative might be to restrict voting to logged-in users. That would give us a unique identifier tied to a single person, no matter what browser or IP they use.
(In reply to Les Orchard [:lorchard] from comment #3)

> We are trying to defend against multiple votes, but while still allowing
> anonymous users to vote. That makes it hard to mount a perfect defense -
> suggestions welcome! (And I'm certainly not ruling out bugs in the current
> approach, either. I haven't looked at it in probably 2 years)

Just to be clear: Even if tracking visitors by IP + user agent were bug free, the approach is flawed from the ground up, if 1-person-1-vote is precisely what we want. People in households share IPs, and people can change user agents. Cookies can be tampered with, cleared and altered. 

So, short of constraining to authenticated users, I can't think of a foolproof way to ensure a single person can't find ways to vote multiple times. (Doesn't mean there isn't a way, but I haven't heard of one.)
(In reply to Les Orchard [:lorchard] from comment #3)

> > Dev team: Are we using a cookie to determine whether someone already voted?
> > If we are, we might want to consider using a combination of cookie and IP
> > address so that a user cannot vote multiple times from multiple browsers as
> > Wladimir explains.

Actually, re-reading Wladimir's bug report, he's pointing out something different: Seems like there's a bug in detecting IPs. So, each unique *browser* gets one vote, regardless of who's using it from what IP. This probably has something to do with front-end caches in produciton (ie. Zeus) and passing the user IP back rather than the cache IP.

But, since the retitling, this bug has changed to request something else entirely.
(In reply to Les Orchard [:lorchard] from comment #5)
> But, since the retitling, this bug has changed to request something else
> entirely.

Indeed. John, please don't hijack bugs. If you think that there is another issue worth addressing - feel free to create a new bug. I described an obvious bug, I am not questioning the overall approach here (there are no perfect solutions so improving the approach will be a lot harder than fixing this bug).
Summary: Protect against "Like" spam on the Demo Studio → "Like" button remembers users by user-agent string only, not by IP address
No longer blocks: 756266
Summary: "Like" button remembers users by user-agent string only, not by IP address → Improve detection of multiple Demo Studio "likes" from the same user
Per comment 5 & comment 6, this bug is specifically about the IP address detection in counting likes. If there are further things we want to do, we should file a broader bug.
Summary: Improve detection of multiple Demo Studio "likes" from the same user → "Like" button remembers users by user-agent string only, not by IP address
(I say that, because dealing with the IP address bug is a focused task that is probably an easy fix. I don't know what improving detection in general entails.)
Whiteboard: [triaged]
Demo Studio is being retired from MDN and archived as of end January 2016
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.