I want to build an anonymous rating widget. Unauthenticated users can click "thumbs up" or "thumbs down" to express how they feel about something. I want people to be able to rate only one time, but I don't want to require login.
And so I want to be able to uniquely identify a visitor for the purpose of disallow double ratings. I am not interested in tracking them.
What is the best approach? Is using the IP good enough? Is a cookie or localStorage good enough? Should I use a combination of multiple techniques?
Since this is just a rating widget, I don't care much about security. If a user is hell-bent on circumventing my double rating detection, then I don't want to try too hard to stop him.
As you suggest, there is no accurate way to do it without making users to log in (and even so, the system could be cheated too). The more obvious options are:
None of this is valid if you need an accurate system, since, as I said, these can be very easily defeated. As you said that security is not an issue, then prefectly accurate results should not be an issue either. This is a major issue, since only one savvy person knowing how to defeat your system is enough to mess up your whole voting system. A single script and suddenly this person can greatly raise the number of votes of specific elements. So again, it comes to the point of how important this is for you.
There are other sorts of "behaviour" techniques, and metadata sent by clients, that are used to track users when they want to be anonymous, but I doubt these will work in your case or will require you too much effort and low level techniques.
So probably your best bet is to apply both IPs and persistent cookies, knowing that your system is not perfect. Note that IP tracking will require you to store data in some sort of local repository.