Now I have a question, maybe somebody has a solution. What is the best way to store a unique ID of a user that is also compliant with data protection regulations (and GDPR) without a cookie and session in PHP?
It is also not allowed to use only the IP address, because this can be used by several users. The point is that a vote is saved and the user is not allowed to vote more than once.
Thank you very much! :D
You are asking the question most of the ad and tracking industry has been trying to solve for centuries. New ways emerge all the time, and browser manufacturers and browser-plugins try to prevent them, however only trying to catch up all the time.
Things you can use:
Of all of them, using a browser fingerprint seems to be the best solution. You can check out Am I Unique or similar sites to get an idea about what things you can check against.
Remember, though, that the above techniques only work in a browser. As soon as someone writes a bot or uses Postman, they won't protect you. Except for the IP maybe. You may want to only allow a certain max. amount of votes from one IP per day in order to prevent miss-use to a degree.
Marco Alka
Software Engineer, Technical Consultant & Mentor
TheSheriff
Co-Founder, Founder, Entrepreneur & Problem Solver
In relation to GDPR most ways to store/gather information are fine. You just have to tell the user that you are doing it and ask them to confirm that is ok. And to be clear even if you don't store data you may still be a processor of a user's data so be careful. But it's important to seek proper GDPR professional advice so you know you're safe.
So their isnt a login system? If so the UK petition.parliament.uk peoples messed this up too. They wanted what you asked for but in the end settled with requiring users to provide an email address so that 1 vote = 1 user.
Various methods can be used. Doing this without IP address though makes it trickier. I would use IP address + device details along with geolocation (a derivative of IP) and then as Marco Alka says use browser finger-printing as well.
Regardless of the method used - you will have to tell the user what you are doing and what's going on.