Re: Unique User Logging and Lock Out

HTTP headers, such as REMOTE_ADDR, could as ikegami pointed out, could easily refer to an in-between proxy server and not the user.

A malicious user could pull off some list of public anonymous proxies and script requests through each of them at random intervals, which makes it very hard to filter out bad requests.

You could implement a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), in order to stop automated requests. There are several implementations out there, for example GD::SecurityImage.

As a sidenote, most non-anomyous proxies set the HTTP_X_FORWARDED_FOR header which usually is the users IP, however if proxies several proxies were chained together, it would be a commadelimited list of the proxies IPs. HTTP_VIA and HTTP_CLIENT_IP are other ones I remember from the top of my head. These variables enable you to identify proxies and distinguish users behind it.

Comment on Re: Unique User Logging and Lock Out

Replies are listed 'Best First'.
Re: Unique User Logging and Lock Out by benizi (Hermit) on Nov 19, 2004 at 00:40 UTC
Just a quick note -- Though a CAPTCHA (Wikipedia definition) is the easiest effective way to eliminate automated requests, it also creates an impediment for visually (or aurally, depending on the method) impaired users of a website. Plus, it might not be as effective as you think.	[reply]