Do you have any advice on how I can take this a step further? I am looking to limit a given user to one vote per session but I’m not sure how to achieve this. I’d appreciate any help you can offer. Thanks for your time.

Good question, Aaron. Remember that a session is simply tied to your browser cookie, so if we allow one vote per session, all the user has to do is clear their cookies and then vote again. And again. And again! So I think what you mean is how do we allow only one vote per IP address? To enforce that, we’ll need to save a list of the IP addresses that have already sent us a vote. And before we record a vote, we need to make sure their IP address isn’t already on that list. Further, we should remember which poll number they have voted in so we can have more than one poll in our application. We’re going to need a simple table:

# lib/db/migrate/001_voter_log.rb
create_table :vote_log do |t|
  t.column :poll_id, :integer
  t.column :client_ip, :string
end

For simplicity of this example, we’ll put all of our logic in the controller. (I won’t show the VoteLog model class because it’s empty.)

# RAILS_ROOT/app/controllers/poll_controller.rb
def record_a_vote
  poll_id = params[:poll_id]
  client_ip = request.remote_ip

  unless VoteLog.count(:all, :conditions => ['poll_id = ? AND client_ip = ?', poll_id, client_ip]) == 0
    redirect_to :already_voted
  end

  Poll.find(poll_id).record_vote(params[:candidate]) # Or however you count votes
  VoteLog.create(:poll_id => poll_id, :client_ip => client_ip)
end

def already_voted
  render :text => "You already voted, no cheating!"
end

Just keep in mind this approach might not be appropriate in all situations. Due to Network Address Translation (NAT) firewalls, many thousands of people will appear to have the same client_ip. This is particularly true in corporate environments. If that’s a concern, you’ll need to go with a full-blown registered-user approach.

Further Reading

How to obtain the IP address of the current user

Feedback and Article Ideas

Want to see a topic explored here? Send Me a Message.

That’s not to say it was perfectly simple to get working with Rails. Because Dibs.net accepts uploads only from logged-in users, I ran into two limitations that would not allow me to use this solution:

• Flash doesn’t send the cookies from the browser (at least it doesn’t in Firefox; it might in IE)
• Rails doesn’t support non-cookie sessions

Because Flash doesn’t send the session cookie, Rails thinks the request is coming from a new, logged-out user and creates a new session for it. Adding a cookies feature to Flash was well out of my hands since I don’t work for Adobe, so I looked into a way to restore the session from a session key passed as a URL parameter. After some experimentation, I found a solution that works great.

Assumptions

I use a modified version of the acts_as_authenticated plugin. Upon authentication, the plugin sets the :user session key to the authenticated user’s id. You’ll need to adapt for your own configuration.

Example Rails Code

In RAILS_ROOT/app/controllers/show_my_ip_controller.rb:

class ImagesController < ApplicationController
	session  ff,  nly => :create
	prepend_before_filter :restore_session_user_from_param,  nly => :create
	requires_login :except => :index

	def create
	  # Handle the file upload here
	end

	private
	def restore_session_user_from_param
	    data = ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager].session_class.find_session( params[:_session_id] ).data
	    sess_obj = Marshal.load( Base64.decode64( data ) )
	    @current_user = User.find( sess_obj[:user] )
  	rescue
    	authorization_required
  	end
end

Then we include the session id as a parameter in the form’s action URL in the view:

<form action="<%= images_path(:_session_id => session.session_id) %>" method="post" id="photoupload" enctype="multipart/form-data">

How it works

Under normal circumstances the acts_as_authenticated plugin sets the @current_user instance variable to the current logged-in user at the start of each request. Since we have no session data when a Flash app hits the controller, there’s effectively no current_user. Our goal is to get current_user working, so we:

• turn sessions off for the relevant action; otherwise Rails will create useless sessions any time Flash hits that action
• prepend a before filter to set the @current_user instance variable
• require login for most of the actions, including create

In the before_filter, we grab the session data from whatever session store we’re using, decode and unmarshall it, and set the @current_user instance variable to the User we find with the id we get from the session hash.

Simple? Not really. But it works!

Further Reading

I couldn’t find much documentation on any of this beyond stomping through the Rails code & Ruby’s CGI Standard Library docs.

Update: A Word of Caution

I forgot to mention when I published this earlier that there’s a reason parameterized sessions is discouraged: browsers will send the entire current link, including the session id, in referer headers to offsite hosts. This doesn’t affect Dibs.net’s Flash upload, but in other scenarios use the above with caution, or with SSL.

Feedback and Article Ideas

Want to see a topic explored here? Send Me a Message.

Web applications can receive requests directly, via a CGI process, through proxy servers, relayed from front-end web servers, and so on. This can complicate how you might find out where the request originated if you, for example, wanted to limit an online poll to one vote per IP address. Luckily, Rails consolidates most of the ways to get this info into a single convenience method on the request object for us.

The Convenience Method: #remote_ip

Without the request.remote_ip method, you’d have to look for specific headers that are used to carry this data in the HTTP request beyond the server where the actual client’s connection was terminated.

Rails’ request.remote_ip method is pretty smart: it looks for and parses the headers HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR and REMOTE_ADDR and parse the value which are commonly used for this purpose.

Example Rails Code

In RAILS_ROOT/app/controllers/show_my_ip_controller.rb:

class ShowMyIpController < ApplicationController

  def index
    @client_ip = request.remote_ip
  end

end

In RAILS_ROOT/app/views/show_my_ip/index.html.erb:

Your IP address is <%= @client_ip %>

Further Reading

The request.remote_ip method is documented in the Rails Framework rdocs.

Feedback and Article Ideas

Want to see a topic explored here? Send Me a Message.