couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Alfke <>
Subject Re: Request object in validate_doc_update
Date Tue, 29 May 2012 06:28:59 GMT

On May 28, 2012, at 2:26 PM, Luca Matteis wrote:

contained in the request), so why not give the IP address of the
request as well? This would allow the creation of even more powerful

The IP address is not very useful for what you're trying to do. Given the prevalence of NAT
(even by ISPs and cell carriers), multiple different users can appear to be at the same IP
address; and given dynamic addressing and mobile devices, a single user can appear at multiple
IP addresses over time.

In other words, if you do this it will offend some of your users who will be accused unfairly
of cheating simply because they're behind a NAT, and it'll still be pretty easy for people
to hack around by just voting from home, from work, and from a cafe.

Basically any system with disposable easily-created anonymous accounts will run into issues
like these. There isn't any way around them without making the accounts stickier. But that's
off-topic for this list.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message