EVE General Discussion

Sorry, I have been busy last couple of days with real life matter, but here is an update on the status of New Eden Faces:

I have found a way to prevent voting for the same character multiple times via global session object. This session object will track character IDs of winners and losers, and if someone were to try and vote via a console by sending an XHR request they will get a nice Error 500: Already voted message. Since this is a global session object, opening New Eden Faces in incognito window or another browser, or another computer will not help the potential attacker, they will still get Error 500: Already voted. Session object is reset after all characters have been voted on, giving a fair chance for everyone to be seen.

Skip button. Initially there was no Skip button on newedenfaces.com. I added it as a feature request in the first few days that the site was up. Since then I have noticed that people would skip votes likes there's no tomorrow. In the end it just turned into abuse. You could have simply held 's' button and it would skip hundreds of characters in a matter of seconds. So with that, there will no longer be a skip functionality.

"But there are so many awfully looking characters, I don't want to be forced to vote if I don't like either of two avatars" you say. To partially remedy this problem I will create a Hall of Shame page and every day a character with the most losses will enter the hall of shame. Of course this won't go into effect right away. I'll give it a few days for wins/losses to be adjusted first.

@Skill Training Online: If anything, I should be thankful to those a**holes that were abusing the site. I know more now about general web security practices than I did a few days ago.

@S Byerley: a) Yes they (or perhaps one person) were abusing it. I was looking at the console that outputs all requests and log messages in real time right before I decided to shut it down. What was happening is characters' wins/losses counts were being updated without actually clicking on the image. It was quite easy, open REST API console, select a PUT request on www.newedenfaces.com/api/characters/:id and pass in character IDs of winner and a loser. You could send it as much as your heart desires.
b) What do you mean by [the website] being stateless? The web is stateless.

@JAG Fox: Thank you, it won't be long before it's up and running again.

@Khira Kitamatsu: Forcing users to register won't solve the problem unfortunately. This is a problem of authorization rather than authentication. There was no restrictions on API that updates a vote count for winning and losing characters. Plus I think it's nice that a website doesn't force users to register or "Sign in with Facebook". Anyone can jump in and start voting right away.
Regarding to your second question I have already done that using a session object. Alternatively I could use an IP address to see who has voted on which characters. But with session object I don't have to check who voted on what, I just check: has this character been voted on?; it doesn't matter who voted; if this character has already been voted, then no one can vote for same character twice.

@Danica Kaliinen: That level of cryptography is a little beyond my understanding but thanks for suggestion. I think this is a step in the right direction. Although I found a way to prevent voting for the same character more than once, I still don't know how to prevent voting for any characters other than two characters currently present on the screen. In other words current API design still allows to vote for arbitrary character without actually seeing it on the page (as long as no one has voted on that character yet). I don't see much potential abuse here, but nonetheless it's possible. The best case scenario for a potential attacker is that he/she may vote one time for someone from a console, but will still have to wait until all 1500+ people have been voted on before doing this again.

@Eurydia Vespasian: I know, there is really nothing to gain from jacking up the votes on an avatar contest site. It's not even a major contest website, let alone popular among EVE players. But on a bright side I am glad it happened sooner than later.

@Ariel Dawn: You must be referring to that skank (Mr.Epeen's words) that had 400 votes at the end, which 4 times more votes than the next highest rated avatar.

Please vote for your favorite Gallente gud/shite carebear psycho poster

Also, the vote seems to get stuck when I click a face. I'll click, but it'll..not load a new set? I'll have to completely close then re-open the window to get a new set, and then it still won't load a new one post-vote.

Didn't work. Tried clearing cache and other stuff, but no joy. This thing not good with Chrome?

EDIT: Now offline.

Noooz put it back up, how else will I pass my Friday DDDD:

New Eden Faces is back online

Disclaimer: The next few days will be the beta-testing stage. Do not be upset if I reset stats now and then as I find new bugs.

In the meantime, please do try and break the website so I could fix the problems sooner than later. If you find something suspicious, like wins or losses count is not being updated properly, let me know.

Me too.

It was humming along pretty well up to that point.

Mr Epeen

This will happen if one the characters has already been voted on.
Quick fix is to refresh a page.
I have tested this issue specifically and very surprised to hear you are experiencing it. Did anyone have the same problem?

I can confirm this too, refresh/reload does not help.
In my case, one portrait appeared twice in a row and then it was stuck on that pair.

good stuff nova! nice have this going again.

one thing i'm not sure about is allowing you to see the wins/losses on mouse-over? this only serves to bias the selection process i think. i know for myself, if i can't make a quick decision, i will give it to the one with least wins..