Hey there, another solution that hasn't been mentioned yet is to simply cache the search result for that particular query / user (make query and userid part of the cache key). That way, it doesn't matter if somebody's flooding, as this won't bog down the server.
Daniel On Jun 5, 10:30 am, comb <sa...@gmx.net> wrote: > Ok, so the best practice is Keep It Stupid Simple (KISS) with some > simple session-checks (and yes, the users need to be logged in for > searching) > > Thanks for the great responses pghoratiu/gabriel! > > On 5 Jun., 13:37, pghoratiu <pghora...@gmail.com> wrote: > > > > how do you secure, that one cannot bypass the post-form, by url- > > > manipulation? > > > ==== > > You can not really do that, they can do whatever they want in the > > request. > > > One thing that you have to do is to enforce a session upon the users > > that get to search form - by requesting login for instance. > > To identify if a request is a second search or pagination just save > > the array of filters in the session and compare it > > when going to the second request, in the case of pagination all the > > filters will be the same except page. > > > The thing is that there are so many ways to generate a DOS for a > > website that protecting only the search result does not make > > too much sense to me. They could be requesting an image from your site > > over and over again without touching the search result. > > So basically you will protect your search result somehow without > > protecting from other DOS methods. > > > gabriel -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
