我们在主页上有一个链接,出于安全原因,需要阻止用户在 Y 分钟内点击 X 次链接。这是一个服务器端链接按钮,如果它们超过阈值,我可以返回一条信息性消息。
但是,我不确定如何识别用户。我应该使用客户端的 IP 地址吗?我可以为未登录的用户使用会话吗?
问问题
86 次
2 回答
0
I would recommend against using an IP address to identify a user. See: Is it reliable to use the IP address to identify a user on your website?
Using a cookie is often the best way to track users. But obviously if this is a security issue then that can be circumvented.
If you are dealing with a potential Denial-Of-Service attack, then I think the only secure option is to require the user to login before allowing him/her to click the link. If this is not a major security issue (it's OK for bad actors to circumvent), then just require the use of cookies for your site and track clicks that way.
EDIT
Based on your comment, I think you need to implement a secure and meaningful method for the user to login. There is no universal way to successfully and reliably identify a single user (however you may define that). You will need to have the user login and accept cookies (so you can track their session).
This is like trying to prevent kids from ringing your doorbell more than once. Trying to determine who they are from the murky blackness of the web (IP address, etc) is like trying to identify the ringer by having them shout their name at you through the door. You will have to have them present some more meaningful and concrete form of identification which can be attached to them and tracked if you want to have any hope of making that dang doorbell stop.
于 2012-10-24T21:05:13.740 回答
0
您可以使用 Session 存储总点击次数。
但是,如果用户是恶意的/聪明的 - 他可以通过拒绝接受 cookie 或在没有 sessionid 的情况下加载页面(在无 cookie 会话处理的情况下)轻松地“丢失”会话。
使用 IP 地址可能有效,但要意识到使用同一网络的人可能具有相同的 IP 地址,因此您可能会不小心撞到几个人。同样,如果您试图阻止 DDOS - 这不会有任何区别,因为他们有一个 IP 列表可以使用。
于 2012-10-24T21:04:11.000 回答