Hi, Just a thought since I have never implemented something like this...
I'd prevent users from submitting more than 1 vote from the same IP during a (configurable) period of time. I'd store all votes received in a DB. I'd implement some kind of police-entity, like, for instance, a VoteInspector that verifies for suspicious IPs (for example: those with n incredibly high number of votes) and implements security policies for those. About spoofing, I don't know much about it... I'd take a guess and say that you could verify that every post's IP corresponds to the machine that post actually came from (cookies might help for this?)... This is just a little bit of "thinking outloudly"... I might be wrong in some aspects. Anyway, hope this gives you some ideas... Freddy. -----Mensaje original----- De: Adam Hardy [mailto:[EMAIL PROTECTED] Enviado el: martes, 13 de abril de 2004 12:23 Para: Struts Users Mailing List Asunto: [slightly OT] defensive strategy Sorry for posting this OT question but I've got an issue that people on this list are very likely to have tackled: I am developing a traditional online survey app, the kind of thing that alot of people must have done. I am wondering how to protect it from script-kiddies who might want to see if they can bombard it with fake votes. It's basically public and anyone can take part in the surveys it will run. I put a switch to check for a flag in the session so that people don't vote more than once from the websites where the surveys will be deployed. But I am worried that kids writing scripts will not be stopped by session flags. Is it worth writing an algorithm to store the IP addresses used for the last hour? Or can they spoof IP addresses? If it is useful noting the IP addresses, how best should I store them? In a hashtable in application scope? In the database? In a session EJB? Thanks! -- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]