Thanks again for the response. Even if my question wasn't about
storing sessions, it's a nice article!
Saving session by ip ... what if $_SERVER['REMOTE_ADDR'] is not set ?
or if it's giving you only a proxies ip? you would need something like
that and even won't be sure to get an ip:
function GetIP()
{
if (getenv("HTTP_CLIENT_IP") &&
strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] &&
strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "??still unknown??";
return $ip;
}
Anyway... as I mentioned my main question isn't about storing
sessions, but getting a best practice for the pagination of search-
results with flood-protection!? :-)
So you both think that storing search results in the session is a good
idea?
I thought it would be odd and may give a better way?
On 5 Jun., 09:25, pghoratiu <pghora...@gmail.com> wrote:
> I think you should be worried about users that refuse to reply with
> the cookie thus
> the session is pretty much useless in this case (crawlers usually
> don't hold the cookie).
> In this case you need to track the users by IP address.
> I would solve this problem on the Apache server side with dos_evasive
> and not in symfony, see here:http://bobcares.com/blog/?p=79
>
> AFAIK the users can't mess with session data, it's stored safely on
> the server side and the data storage bucket
> is identified by the hash of the session (check cookie named symfony).
>
> gabriel
>
> On Jun 4, 11:47 pm, comb <sa...@gmx.net> wrote:
>
> > Hi everybody! :-)
>
> > I have two actions: search/executeIndex and search/executeSearch.
>
> > And I have a Search-Query $q generated by the executeSearch that gives
> > all search results.
>
> > Normally you would simply give it to the Pager and be happy! :-)
> > BUT I want to add a search-flood-protection.
>
> > I try to find the best-practice now for this use-case:
>
> > 1) A User sees a search-Form, fills it and submits it.
>
> > 2) I check if the user is flooding, if so, he's redirected and sees a
> > message like 'you have to wait some time' - otherwise he sees the
> > results page.
>
> > If I now add pagination to the results, I need to execute the search-
> > function on each page and that would result in a redirection for the
> > user and a message that he has to wait some time if he switches the
> > page to fast... Thats NOT what I want!
>
> > I want that the user can switch pages in THIS current search results
> > without waiting. Only if he queries a NEW search from the form, I want
> > to check the flooding-time.
> > If I use the users-session like setting a var "is_new_search" , I will
> > be afraid of someone who manually sets this var in his cookie to
> > FALSE.
>
> > Any ideas on how I could do that securely? I thought about fetching
> > all search-results and saving them in the users session. Then if the
> > search function finds those results in the session, the function
> > simply paginates it. Otherwise a new query is generated and the flood-
> > time is checked. But that sounds very odd to me :-/
> > Any experience with that?
>
>
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
