I’m building a portfolio website in Laravel where visitors can like projects, but there is no authentication system. How can I track unique likes per project using cookies, device fingerprints, or IP hashing? I need a secure method to avoid multiple likes by the same visitor while keeping the system anonymous.
You should take into account no matter what you invent it can be tricked/abused/cheated by any user who is capable to open a browser in incognito mode or just clean cookies. So, don't rely too much on your likes uniqueness and truthfulness.
I do not think user will just register to my portfolio website just to like my projects etc stuffs. That's the reason I have avoided the authentication to like it.
Looking for something which can be implemented in this scenario.
Simply set/check a cookie when a user gives a like.
Don't rely on IP addresses, they are not unique among users (several different users can share one IP address). Maybe set up a reasonable rate limiter based on IP address to prevent stupid bots abusing your likes.
Even after this people can delete the cookies and like it again.. Also they can like it from another device like mobile, tablet etc. where cookies is not set.
Yes, you're right. You can't have authentication without authentication. Either implement user accounts or your likes are easy to be cheated.
you need to ask something unique from the user to be able to have unique functionality like unique likes.
even when they don't authenticate, you can still ask for an email address or phone number to send a verification link. only after clicking that link you can do your checks for uniqueness consider their like to be valid.
If this I have to do, then I have chooses the auth.
I would not recommend auth here, it has way more friction. You ask for user to provide email and password, and also verify his email, and than go back and like your post.
By that point a lot of users have given up if having an account in your portfolio serves no other purpose. Compare that to only sending an email or sms and verifying there.
accept their like, but don't confirm it until they click on a link in an email.
They don't need to register, but they do need to supply email address.
Then store email address in your likes table so that they cannot vote again on that project
This is kind of a problem because some bots will bombarded your app with likes for no reason till you got a DDOS. You can use a rate limit but is not a solution, neither check for ip or some agent.
Please or to participate in this conversation.