Thanks Gregor! So this assumes that they are accessing that pages 10 times or more in 60 seconds. Any issues you can foresee with false positives? I guess, as long as you make this page *necessary* as part of the checkout process (i.e. there's no other way to add stuff to the cart or lock inventory) then it would work out. The big concern too though, is if you have high volume traffic where a lot of people are on your server and potentially accessing that page at the same time - I think this could set off some false positives. You'd probably have to identify by IP. But if a person really wants to, they could just proxy in with anonymous IPs and say lock up one item per IP.
Not sure if there's an 'efficient' way to stop this kind of behavior. Obviously, some sort of tracking cookie/logon to uniquely ID people would be necessary. But that may go against business requirements (i.e. we don't want to force people to logon, etc) Hmmm... On Jan 6, 11:31 am, Gregor at HostGIS <[email protected]> wrote: > VERY interesting idea you have there, JP! > > The rule would be similar to this, though this probably isn't 100% > correct. If someone hits addtocart.php 10 times in 60 seconds, a level > 10 is triggered. > > <rule id="1000000" level="10" frequency="10" timeframe="60"> > <url>/addtocart.php</url> > <description>Shopping cart overload</description> > </rule> > > -- > HostGIS, Open Source solutions for the global GIS community > Greg Allensworth - SysAdmin, Programmer, GIS Person, Security > Network+ Server+ A+ Security+ Linux+ > PHP PostgreSQL MySQL DHTML/JavaScript/AJAX > > "No one cares if you can back up only if you can recover."
