Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

DHCP problem  RSS feed

 
Stephanie Spike
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everybody, HELP!
I have inherited an online voting application that allows students to vote only from a "registered" computer. Before the election, an official picks out the computers they want to use all over campus, opens a browser and sends a request to a servlet. The servlet logs the ip address of that machine and during the election, checks any requests to vote against that list. Problem is, the computers are becoming "unregistered" - I can only guess because of dhcp. When I did a name lookup on the ips, alot of them were dhcp.xx.blah.
How can I fix this - or can anyone think of a smarter way for my server to recognize a machine instead of an ip? Keep in mind that I can't put anything on these machines (even cookies!), it is forbidden by nearly all lab managers...
Thanks in advance!
 
Michael Morris
Ranch Hand
Posts: 3451
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Stephanie,
Well, you could use session tracking using URL rewriting instead of cookies provided your servlet engine supports URL rewriting for session tracking. You could then do something like:

Of course using request.getServerName() may get you back in the same bind. You may need to generate a unique id from a static variable and wrap in an Integer or other wrapper and store that as your session attribute. Your registration code will need to verify that the machine is on the list before registering it. This of course brings up the question is it possible that a host name may change during the registration process and no longer be on the list?
Hope this helps,
Michael Morris
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Even if you could set a cookie, that would still leave the loophole that a user can remove their cookies and vote again.
If all of these people have their own e-mail address at your organisation, that could be a useful angle. You create a web page that will allow them to request a "voting ticket". This is an e-mail containing a link with a big random string. Using that link, they can vote. Because you know exactly what tickets have been sent to which e-mail addresses, everyone is restricted to one vote per e-mail address which hopefully is a good approximation of one vote per person.
If people tend to have multiple e-mail addresses, you can precompile a list of valid e-mail addresses. Only one single e-mail address per person would be valid.
It would rid you of the "registered computer" idea. That is just completely broken (unless you have an IE-only infrastructure and everyone is logged onto an NT domain; in that case you can use NTLM authentication and everything suddenly becomes laughably easy).
- Peter
 
Stephanie Spike
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Michael and Peter, but I guess I didn't make my problem clear enough.
I use LDAP authentication to make sure that a student is who he says he is and that he only votes once. What I am trying to secure is the computer the votes are coming from. There was a problem with large groups of students giving their ids and passwords to a single kid who sat in his dorm room and voted for everyone, casting the exact ballot over and over. To solve that, they now have to go to an exact computer to vote, which is identified to my application ahead of time, and which is watched over by an official.
I've considered using MAC addresses, since they shouldn't ever change, but I know next to nothing about networking. Any more ideas?
Thanks, again, in advance...
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah. Yes, that changes matters.
To solve that, they now have to go to an exact computer to vote, which is identified to my application ahead of time, and which is watched over by an official.
At the time of voting? If so, what about giving that official a username and password to log in to the voting application? Votes could be cast only after the official had done its job. A session cookie or some other means of session tracking does the rest.
Other than that, it'd be sticky. I don't think you can get browser fingerprints that are specific enough. I don't think either that there's an easy way to get at the MAC address from Java. Is there some way you could interrogate the DHCP server? Otherwise, I can't think of another way around it offhand.
- Peter
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I vote with Peter (no pun intended).
What you actually want is someone or something to validate the votes. If you're using a secure channel to connect the client to the server and can trust that no one's been tampering with the voting machines then you have narrowed the vote sources down to legitimate channels. Then within that channel you use your LDAP identification and/or a unique voting "ticket" (some sort of one-time PIN or something) to ensure that each voter votes only once.
Of course, short of going biometric or physically watching what each voter enters, there's no way of really ensuring 100% that person A didn't cast Person B's votes, but if Person B is going to give away his/her identity that casually, losing a vote is the least of evils likely to befall him/her.
 
Stephanie Spike
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the suggestions. I'm still not sure what the best way to handle it is, but I have more to think about. It has been suggested to me that an ActiveX control combined with some javascript could handle this problem easily I'll ignore that suggestion for now
Thanks!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!