Login

03-23-2009, 05:20 AM

[eluser]jedd[/eluser]
[quote author="RS71" date="1237797879"]
Could you please elaborate on the honeypot IDs?[/quote]

Note - this becomes theoretically moot if you have sufficiently long and random strings to publicly identify your records.

With smaller, incremental ID numbers, though, you would periodically reserve one of these - say every 27th normal addition you'd create an additional dummy record, which would have some unique identifying data. Your code would never refer to this site - that is, there would never be a URL generated by your site, that pointed to one of these records. If your controller ever received a request for same, therefore, it would know that the kind of search you are concerned about was occurring. At which point you .. do whatever.

Drop a route, ban an IP address, ban that user, etc.

None of these are very effective, of course, since the first doesn't stop the user from going to a different machine, the second can annoy anyone else on the same ISP, the third assumes an ACL system (or a business policy) that is evidently not present, that can manage these rights.

Quote:Do you have any tips you could give me?

My big tip is, if you really do have an ACL system in place, you should extend it such that it can handle the permission model that you sound like you actually want to use. Or let it go.

I guess I just can't imagine a situation where I would want 'slightly more complicated' as my security mechanism, though perhaps I'm just used to black and white problems.