0

Currently i am working on a project in which we are tracking and limiting fake post requests, so we are tracking them using IP and Session. but we are facing three major problems for that (1) All the people from the same proxy server will have same IP, (2) If a person disable cookies, then session won't work, (3) if someone uses a script for post request then every time he'll have different session id so he can make any no of requests using IP spoofing.

i just wanted to know whether there is any other method to implement this, or it can be done with some modifications in my current approach.

i am using rails for this and i am implementing all as a gem.

whishky
  • 288
  • 1
  • 10
  • I think we could give a better answer if we knew what that endpoint does and how the fake requests hurt you. Otherwise, consider the recaptcha gem, Rails's authenticity_token or the rack_attack gem. – Leventix Feb 26 '16 at 13:09
  • actually its a form so after filling that we show them some hidden information related to that item, so people are just filling the form for many items and getting those hidden info to use for themselves, and some of them are just making continuous post request on the same item, which is a big trouble for our servers. – whishky Feb 26 '16 at 13:13

1 Answers1

1

what do you think about Google's reCAPTCHA + I hope that you didn't disable authenticity-token

Community
  • 1
  • 1
Zh Kostev
  • 588
  • 3
  • 17
  • captcha is not a problem as we are showing captcha to those who are violating limits, and authenticity token is also not disabled, but as i told you earlier my session is falling in the case when some one is using a script for making post request – whishky Feb 26 '16 at 13:09
  • @whishky you should use the session to authorize users, instead of banning them, e.g. if the session is blank than make the user solve a captcha and set a captcha_solved=true in the session. This won't work if you actually want to support legitimate users who have the cookies disabled, otherwise just put up a message "Sorry, you need to enable cookies to use this site" – Leventix Feb 26 '16 at 13:18
  • that it the whole point in here, as on a company level we can't show a message that you are not authorized to make this request until you enable your cookies, and second is that there are a lot of companies which work fine after disabling cookies so i just wanted to know how they do it – whishky Feb 26 '16 at 13:23
  • @whishky If they use smth like capybara (with real browser) you will not able to check either this request was fake or not. You will treat them as a real one. – Zh Kostev Feb 26 '16 at 13:26
  • @kostev so basically you want to say that there isn't any efficient method to apply rate limit ?? – whishky Feb 26 '16 at 13:29
  • @whishky yes. Your case is DDOS attack with the help of some scripts and\or different machines. You will have to either block some ip addresses range via nginx for example, but this will affect normal users or try Leventix approach with session. – Zh Kostev Feb 26 '16 at 14:17