Site Bug: I Also Have This Question


log in

Advanced search

Questions and Answers : Wish list : Site Bug: I Also Have This Question

Author Message
Profile Atangel
Send message
Joined: 14 May 99
Posts: 61
Credit: 1,024,161
RAC: 1
United States
Message 2978 - Posted: 1 Jul 2004, 3:41:41 UTC
Last modified: 1 Jul 2004, 3:44:07 UTC

Seems like the right place for a web site bug. I can click my own "I Also Asked This Question" button and increment the counter. Seems vaguely profane, but people could alter their own post's stats.

Edit: I did a POC with this post (and found the bug in another, by accident). Asked 5 times already? In fact, I did ask 5 times, but I don't think anybody else did

Nemequor
Send message
Joined: 29 Aug 02
Posts: 32
Credit: 19,483
RAC: 0
Finland
Message 3162 - Posted: 1 Jul 2004, 14:19:17 UTC

I don't think that this is actually a bug in the site. Making sure that same people don't click on that button more than once and similar things is easy to do, but not very effective.

There are only a number of ways in which such user control is possible, and usually those are cookies (which holds information about you clicking on the button), but this is easy to bypass by deleting the cookies.

Other way is to keep the IP address of the user in a database in the servers and then check if the user is the same as before.. but as you may know, most people have dynamic IP addresses (the address changes from time to time), so this is not too effective either, not to mention the workload it would make to a database server because of the number of users on this site.

One other commonly used user control method is creating "sessions" for every user, but this is easy to bypass too, simply by closing the browser or being idle for a while so that the session times out. Indefinite timeout is just not practical, especially if the computer the session is attached to is a public computer or similar, in which case, everyone using that computer would continue to use the same session, thus having full access to everything the session controls (or has access to). I'd imagine this is what the users don't generally want..

There might be other ways that I'm not aware of though :)

regards

--J

Profile Atangel
Send message
Joined: 14 May 99
Posts: 61
Credit: 1,024,161
RAC: 1
United States
Message 3181 - Posted: 1 Jul 2004, 14:52:42 UTC - in response to Message 3162.
Last modified: 1 Jul 2004, 14:54:09 UTC

Don't need anything fancy, you need to be signed on as "you" to post as "you" so don't allow the poster to see/click his own button. Actually, can people NOT signed on even see the button?

Edit: typo.

Nemequor
Send message
Joined: 29 Aug 02
Posts: 32
Credit: 19,483
RAC: 0
Finland
Message 3201 - Posted: 1 Jul 2004, 15:29:11 UTC - in response to Message 3181.

> Don't need anything fancy, you need to be signed on as "you" to post as "you"
> so don't allow the poster to see/click his own button.

Doesn't change the limitations/problems of the methods anywhere, which is what I tried to explain in my earlier post.

> Actually, can people NOT signed on even see the button?

Yes they can, unless i made a wrong turn somewhere between logging out, restarting the browser, and returning here just to see if the button would still be there.

--J

Questions and Answers : Wish list : Site Bug: I Also Have This Question

Copyright © 2014 University of California