What type of gaming do you want to protect yourself against? Someone creating a couple of bots and bombing you with thousands (millions) of requests? Or someone with no better things to do and try to make 10-20 votes?

Yes, I know: both - but which one is your main concern in here?

Using CAPTCHA together with email based voting (send a link to the email to validate the vote) might work well against bots. But a human can more or less easily exploit the email system (as I comment in one answer and post here again)

I own a custom domain and I can have any email I want within it.

Another example: if your email is myuser*@gmail.com*, you could use "myuser+1@gmail.com" myuser+2@gmail.com, etc (the plus sign and the text after it are ignored and it is delivered to your account). You can also include dots in your username (my.user@gmail.com). (This only works on gmail addresses!)

To protect against humans, I don't know ever-cookie but it might be a good choice. Using OAuth integrated with twitter, FB and other networks might also work well.

Also, remember: requiring emails for someone to vote will scare many people off! You will get many less votes!

Another option is to limit the number of votes your system accepts from each ip per minute (or hour or anything else). To protect against distributed attacks, limit the total number of votes your system accepts within a timeframe.

One step towards a user auth system but not all of the complications:

Get the user to enter their email address and confirm their vote, you would not eradicate gaming but you would make it harder for gamers to register another email address and then vote etc.

Might be worth the extra step.

Let us know what you end up going for.

If you don't want force users to log, consider this evercookie, but force java script to enable logging!

This evercookie is trivial to block because it is java script based. The attacker would not likely use browser, with curl he could generate tousends of requests. Hovewer such tools have usually poor javascript support.

Mail is even easier to cheat. When you run your own server, you can accept all email addresses, so you will have practically unlimited pool of addresses to use.

Although I probably wouldn't do this myself, but look at these cookies, they are pretty hard to get rid of:

http://samy.pl/evercookie/

A different way that I had to approach this problem and fight voting fraud, was to require an email address, then a person could still vote, but the votes wouldn't count until they clicked on a link in the email. This was easier than full on registration, but was still very effective in eliminating most of the fraudulent votes.

If you want to go with cookies after all, use an evercookie.

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Multi-browser cheating won't be affected, of course.

The best thing would be to disallow anonymous voting. If the user is forced to log in you can save the userid with each vote and make sure that he/she only votes once.

The cookie approach is very fragile since cookies can be deleted easily. The IP address approach has the shortcoming you yourself describe.