Issue with Rating items and comments

Hello,

I have an issue on my site with rating items and comments.

• If an user gives a "+" to a comment, the count goes to "1 point". But if ANOTHER user tries to give a "+" too, on the same comment, a pop-up opens saying "Duplicate vote". None of the comments on my site has rised up to "2 points"
• When a new news, blog post etc. is posted, an user can rate this item. But once it is rated by 1 user, no other users are able to rate it too. This is almost always true but... for unknown reasons, VERY RARELY two users have been able to rate the same item.

Do any of you have an idea of why this is happening?

Sounds like it is seeing the same person trying to rate/vote again.  Are you seeing any other issues where it is important that Dolphin knows who is doing the looking?  I am thinking a sessions issue.

Everything looks fine besides this issue :/

Dolphin seems to count right the number of views for example, and I haven't heard about any log-in issue etc.

It maybe your site is setup behind the proxy, in this case every user has the same ip.

Please check if user's IPs are different or the same in Admin panel > Tools > IP Blacklist > List

If your site is behind the proxy try the following modification in in/classes/BxDolCmts.php, change:

    function _getAuthorIp ()
    {
        return $_SERVER['REMOTE_ADDR'];
    }

to:

    function _getAuthorIp ()
    {
        return getVisitorIP();
    }

please let me know about the results

Thank you, I have to test this and I will get back to you.

AlexT,

You were right for the first part. Our website in setup behind a proxy and in Admin panel > Tools > IP Blacklist > List all users have the same ip (127.0.0.1).

I tested your modification extensively. Rating is still not working for all users connected on our local network. But it's now working if I use my phone or a private computer to vote. Do you know what we could do so that all users connected on our local network could also rate/vote?

Please could you clarify - is comments voting isn't working ? or some other voting ?

Also if reverse proxy is setup properly, then it should pass HTTP_X_FORWARDED_FOR header with real IP, which getVisitorIP function should pick up.

No news/blog/... or comment voting/rating is working.

I installed Deanos Tools and I saw that users all have the same public IP (starting by 193.xx) which explains why the fix is not working. Is it possible to bypass this check and allow users to vote even if they have the same IP?

Dolphin checks for X-FORWARDED-FOR HTTP header for real client' IP, but it maybe your proxy software passes some other header, it is better to find out this header, so we can improve Dolphin to check for more headers to detect real IP, it can help other with similar problem.

I think our security settings won't Dolphin to access to real user IP.

From what I understand, we're using a reverse proxy and all communications are from a public IP on our local network to another public IP on the servers dolphin is hosted (= internally, we use the external path). Therefore Dolphin gets all user IP as "193.240.xxx.xx".

Yes, but usually reverse proxy still passes real client's IP as additional HTTP header, in some situations this header may be different. If you can provide reverse proxy software/service at least, then we can try to find it out in the documentation.

Hello Alex. We are using nginx (V.1.6.2) for reverse proxy

Please try to modify getVisitorIP function in inc/utils.inc.php file as the following (I've added checking for X-Real-IP HTTP header):

function getVisitorIP($isProxyCheck = true)
{
    if (!$isProxyCheck)
        return $_SERVER['REMOTE_ADDR'];

    $ip = $_SERVER['REMOTE_ADDR'];
    if ((isset($_SERVER['HTTP_X_FORWARDED_FOR'])) && !empty( $_SERVER['HTTP_X_FORWARDED_FOR']))
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    elseif ((isset($_SERVER['HTTP_X_REAL_IP'])) && !empty( $_SERVER['HTTP_X_REAL_IP']))
        $ip = $_SERVER['HTTP_X_REAL_IP'];
    elseif ((isset( $_SERVER['HTTP_CLIENT_IP'])) && !empty($_SERVER['HTTP_CLIENT_IP']))
        $ip = $_SERVER['HTTP_CLIENT_IP'];

    if (!preg_match("/^\d+\.\d+\.\d+\.\d+$/", $ip))
        $ip = $_SERVER['REMOTE_ADDR'];

    return $ip;
}

This doesn't change anything, I'm still getting the "Duplicate vote" message :/

Is it possible to view your nginx reverse proxy configuration ? also is there any changes in IP logging after last changes ?

Hello I'm working with SteriaEolis on his matter as a network architect. 

The problem there is that all Steria people internet accesses are hidden behing a single IP adress so we can not rely on any ip adress to distinguish people who are voting.

Can't we use a cookie (maybe an existing one for authentication for example) that is uniq to segregate people vote count ?

that will be network independant and solve all those issues.

thanks for your answer.

Does original IP send in additional HTTP headers ? maybe some custom headers are used for this ?  

For the record nginx is already setup to forward 'HTTP_X_FORWARDED_FOR' and it's working well (we've correct ip adresses in logs).

Then it should work for you after implementing the following two modifications:

http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#257639

http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#257132

For this to work we've to configure nginx to forward those headers too, we'll try this tomorrow, and I'm quite confident that it'll work.

thanks for your quick answer Alex ;) 

We've done some testing but with no luck. All nginx configuration is working fine but the ip address stored in $remote_addr is the public address used to hide all company people.

We had a look at all dynamic variables sent to the web server and none of them contains a private ip adress.

Alex : any idea to suggest ? 

Could you provide phpinfo() output ? 

Yes I can provide you this but there are sensible informations in it so I do not want to publish it on a public forum. I've tried to send you a PM but I'm not allowed to send it to you.

Can you send me an email to david.amiel@soprasteria.com and I'll reply to you with phpinfo output ?

@SteriaInfra

I've sent you email

In some cases getVisitorIP function ignores checking for proxy and use real IP, for your situation with reverse proxy this is not good, so I recommend to comment out the following lines (in red) in inc/util.inc.php file to always perform proxy checking:

function getVisitorIP($isProxyCheck = true)
{
    //if (!$isProxyCheck)
    // return $_SERVER['REMOTE_ADDR'];

    $ip = $_SERVER['REMOTE_ADDR'];

I hope it'll help.

Alex,

I've replaced the function in this reply http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#257639 by the one in your last reply (with an additional } )

But there's no visible difference on the website, we still get a "Duplicate vote" pop-up.

Very interesting - it should definitely work for you after all these modifications (they must be applied in this order, since 3rd modification make correction in 1st - especially for your case):

1. http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#257639

2. http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#257132

3. http://www.boonex.com/forums/topic/Issue-with-Rating-items-and-comments.htm#260120

Please could you clarity where exactly you've got "duplicate vote" error ? could you provide screenshot please ?

Also is real user IP now showing in Admin panel > Tools > IP Blacklist > List (only new logins will be affected, old data will stay as it is) ?

Back with some news. What you said in your last post did not work for us unfortunately.

But we think the issue on our side is that all internal connections are going through the proxy external link. So the IP adress is the same for all internal users. We are going to try to fix this by a change in the infrastructure configuration from external link to internal link (for internal users). We'll get back on this post later.

Dolphin developpers, it would be very interesting for a future version to have the choice on the administration panel between an IP adress check or a user login check for double vote verification.