Interesting problem. You could implement image tickets, ie for every user that wants to submit a form you generate a random sequence of characters as an obscured image. To enable the user to submit the form they have to visually read and enter the code displayed in the image. A simpler but less sound option would be to write a session and persistent cookie to the user after their initial submission.
Someone else on the list may have dealt with a similar problem and have a better solution :) hth Chris -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 13 April 2004 11:23 To: Struts Users Mailing List Subject: [slightly OT] defensive strategy Sorry for posting this OT question but I've got an issue that people on this list are very likely to have tackled: I am developing a traditional online survey app, the kind of thing that alot of people must have done. I am wondering how to protect it from script-kiddies who might want to see if they can bombard it with fake votes. It's basically public and anyone can take part in the surveys it will run. I put a switch to check for a flag in the session so that people don't vote more than once from the websites where the surveys will be deployed. But I am worried that kids writing scripts will not be stopped by session flags. Is it worth writing an algorithm to store the IP addresses used for the last hour? Or can they spoof IP addresses? If it is useful noting the IP addresses, how best should I store them? In a hashtable in application scope? In the database? In a session EJB? Thanks! -- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *********************************************** This e-mail and its attachments are confidential and are intended for the above named recipient only. If this has come to you in error, please notify the sender immediately and delete this e-mail from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation. Statements and opinions contained in this email may not necessarily represent those of Littlewoods. Please note that e-mail communications may be monitored. The registered office of Littlewoods Limited and its subsidiaries is 100 Old Hall Street, Liverpool, L70 1AB. Registered number of Littlewoods Limited is 262152. ************************************************ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
