I think you should be worried about users that refuse to reply with
the cookie thus
the session is pretty much useless in this case (crawlers usually
don't hold the cookie).
In this case you need to track the users by IP address.
I would solve this problem on the Apache server side with dos_evasive
and not in symfony, see here:
http://bobcares.com/blog/?p=79
AFAIK the users can't mess with session data, it's stored safely on
the server side and the data storage bucket
is identified by the hash of the session (check cookie named symfony).
gabriel
On Jun 4, 11:47 pm, comb <sa...@gmx.net> wrote:
> Hi everybody! :-)
>
> I have two actions: search/executeIndex and search/executeSearch.
>
> And I have a Search-Query $q generated by the executeSearch that gives
> all search results.
>
> Normally you would simply give it to the Pager and be happy! :-)
> BUT I want to add a search-flood-protection.
>
> I try to find the best-practice now for this use-case:
>
> 1) A User sees a search-Form, fills it and submits it.
>
> 2) I check if the user is flooding, if so, he's redirected and sees a
> message like 'you have to wait some time' - otherwise he sees the
> results page.
>
> If I now add pagination to the results, I need to execute the search-
> function on each page and that would result in a redirection for the
> user and a message that he has to wait some time if he switches the
> page to fast... Thats NOT what I want!
>
> I want that the user can switch pages in THIS current search results
> without waiting. Only if he queries a NEW search from the form, I want
> to check the flooding-time.
> If I use the users-session like setting a var "is_new_search" , I will
> be afraid of someone who manually sets this var in his cookie to
> FALSE.
>
> Any ideas on how I could do that securely? I thought about fetching
> all search-results and saving them in the users session. Then if the
> search function finds those results in the session, the function
> simply paginates it. Otherwise a new query is generated and the flood-
> time is checked. But that sounds very odd to me :-/
> Any experience with that?
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
