stopping posts floods and cookies

[turkman]

i dont understand whats going on. This always worked before... everytime someone makes a post i set a cookie

 

setcookie("Postflood",$ip,time()+POST_FLOOD);

 

post_flood is declared in globals as 30 - i.e 30 seconds between posts.

 

then when you go to make another post it does an isset($_COOKIE['postflood'])

 

even under 30 seconds it still doesnt see the cookie as having been set.... im not sure why this doesnt work?

[PFMaBiSmAd]

Cookies are in the hands of the visitor (or bot script) that is posting on your site. You cannot rely on the existence or absence of a cookie or the value in a cookie for the purpose you are attempting because a cookie can be deleted or altered and most simple bot scripts don't even accept cookies so isset($_COOKIE['postflood']) won't ever be true.

 

What method are you currently using to authenticate, identify, and determine if a visitor can post on your site?

[turkman]

nothing its an anonymous posting site.... i was just trying to stop spam... its not online yet, having a problem with the hosting now

[PFMaBiSmAd]

You could use two cookies, one would be set with a unique id value (and store the unique value in a database table so that you can check if the visitor didn't just put some random value into a cookie) and the second one would be set to determine when the last post was. You would test to make sure the unique value cookie was provided to make sure that cookies were being accepted and sent back to the server and that the unique value was one that you assigned and that the last post cookie was not set.

 

You should also regenerate and reset the unique id cookie upon each post so that they cannot get one valid unique id cookie and keep posting by deleting the 'postflood' cookie.

 

If they don't accept cookies, they delete both of them, or they did not get a unique id value from you, you won't allow them to post.

[turkman]

would it be possible to use sessions store their last post time and have it time out .. i.e give it a time to live type of thing?

[ChemicalBliss]

Yes you could use sessions, but then all i have to do is clear my cache and post again 2 seconds later.

 

I would reccommend using a login system that put the timer into that users details table. That way the only way to bypass is to make a new account, with a new email - which most people really wont bother with).

 

-cb-

[PFMaBiSmAd]

Using just a session with the time of the last post stored in it can still be easily bypassed (see ChemicalBliss's post.)

 

You would need to persistently store (database table) the session id and the visitor's IP address so that you can make sure that they are keeping the same session that they started with and are not simply dropping the session id and getting a new session each time.

[ChemicalBliss]

Just a note to bear in mind, Think of every possible user scenario -

Internet Cafe: Same Ip Address, Maybe even same session, but different users.

 

A login sysetm really is the only way to go IMHO.

 

-cb-