A serious question about cgi (intermediate-newbie)

[Robin]

I'm beginng to understand cgi.pm....and I'm wondering if there's any way to
deny a client side user their privelege to submit a form over and over again
by clicking back on their browser and submitting it again or clicking the
button to submit the form before the page with the form goes on to the next
page...do I have to log ips or something?

Thanks in advance.

 

[Vetle Roeim]

* robin @ infusedlight.net

I'm beginng to understand cgi.pm....and I'm wondering if there's any
way to deny a client side user their privelege to submit a form over
and over again by clicking back on their browser and submitting it
again or clicking the button to submit the form before the page with
the form goes on to the next page...do I have to log ips or
something?

You can generate a "ticket" that can only be used
once. I.e. generate a ticket when the form is accessed, and check
that the ticket is valid in the Perl code that recieves the form
data when the user clicks the submit button.

[...]

 

[Robin]

r

You cannot prevent people from submitting information, multiple
times by clicking a form button. You can expire a cache, you
can parse for ip addresses, you can do many things to prevent
the _same_ data from being submitted more than once.

You cannot prevent a childish person from clicking a submit
button more than once. Quite the opposite. There is at least
one person here, a regular participant, who has been accessing
the same pages at my site, ten, twenty, forty times a day,
for years, literally and truthfully. His childish behavior
waxes and wanes with my degree of participation here. I return
for a bit, he is more active. I leave, he becomes less active.
He is very predictable, right down to his hours of business.

There is much you can do to protect your script, to protect
the integrity of your data, to prevent certain ip addresses
from engaging your site.

You cannot prevent childish, possibly mentally disturbed
people from attempting this type of abuse, and there is
at least one person here, who fits that description.

Protection against this type of behavior is very much
like how you protect your username / password file in
your current script.

Other than that, just ignore those people; they are
begging for attention, even negative attention, and
a person here is receiving attention in this article,
which annoys me. Chances are, you are taking notice
of this same childish person who believes it is his
duty in life, to punish others for whatever reason,
most likely, abhorrent self-gratification.

There is a benefit and a revenge. Each minute he, and
others like him, each minute he wastes trying to
abuse others, is a minute wasted from his lifetime,
a minute loss forever.

I delight knowing I am robbing this person of time
from his lifetime, with no effort, with no time of
my own, wasted away.

Protect your script, protect your data, ignore him.

That's the ticket, I think I'll just add a feature to delete posts from the
admin script or something so I don't have to deal with these childish
individuals... join my yahoo perl group:

Group home page: http://groups.yahoo.com/group/perlbeg2
Group email address: (e-mail address removed)

Later.
-Robin

 

[Robin]

* robin @ infusedlight.net

You can generate a "ticket" that can only be used
once. I.e. generate a ticket when the form is accessed, and check
that the ticket is valid in the Perl code that recieves the form
data when the user clicks the submit button.

good point. Thanks.
-Robin

 

[Vetle Roeim]

good point. Thanks.

This won't prevent users from posting a lot of annoying messages
on a bulletin board, though.

I've used this kind of one time ticket if submitting the form kicks
off some kind of specific action on the server... If it sends a mail,
for instance. Generating a one time ticket may prevent the user from
sending the same data in the mail multiple times.


vr

 

[Robin]

deny a client side user their privelege to submit a

Research and read about "no cache pragma" for your
display page html headers. Most browsers recognize
this or variations. A fast expiration time generates
one of those "post data missing" error pages.

That will not prevent repeated submissions but will
add one or two extra steps to the process of repeating
a post submission.

Blocking of ip addresses is usually pointless. There
are so many proxy servers, you will spend a tremendous
amount of time trying to block them. Blocking ip addresses
should be used for very serious problems.

Automatic blocking of ip addressed helps in the short term.
We have a couple of androids who automatically block offenders,
and make a log record. This causes a person to have to switch
to a new proxy. Easy enough to write simple rules, such as
scanning your database for the same entry. If so, your script
response can be to append a "Deny From" in an htaccess file,
when someone repeats the same data entry.

Redirection works well. You can redirect a twit to a site
which employs lots and lots of table tags. You have visited
those sites which cause your browser to "stall" for a long
period of time because of nested table tags. You may also
redirect an offender to a site which you know contains
hostile tags, such as java applets or visual scripts which
are designed to cause browser problems.

There are at least a thousand and one ways to crash a browser,
or crash a system. This is useful for some sociopaths but might
land you in trouble. There are ways to tag a system, especially
if they have cookies turned on.

Another method is a primitive honeypot. Use URL masquerading
and provide the idiot with a fake page. Allow him to sit
there wasting his time clicking a button which looks real,
responds in a real way, but actually does nothing.

What I find effective is collecting log entries for an offender
over a month, over two months, then clobber the servers with
formal complaints, daily, for weeks, until they take action
or disclose information you need. More than once I have enjoyed
success at having an offender's ISP account terminated.

This "ticket" method suggested by another, is a good idea.

If you can determine who the offender is, where he works and
can _factually_ prove he is causing problems during work, from
an office or place of employment, sent mail to his employer,
call his employer, have your favorite attorney write his employer.
Nothing worse than having a boss on your back, or perhaps being
fired from your job. I have done this with great success but
only for very extreme circumstances.

Personally, I like automatic banishment. Quite the surprise.

All of those and hundreds of other methods work well.

Nonetheless, the best method for childish offenders is to
simply ignore them; never take action, never respond. That
is the worst punishment an attention seeker can be dealt.

For trivia, since posting my prior article on this topic,
the regular here who is mentally disturbed, has tripled his
efforts at annoying me. He is not a very bright boy, he
is easy to manipulate, he amuses me, as do many of the
boys populating this newsgroup.


Purl Gurl

You are pretty funny! lol. Later and thanks for the info, I should probably
get cracking.
-Robin

 

[Anno Siegel]

[in an unattributed reply to Purl Gurl]

[how to hunt down, maim, and kill vile defacers of bulletin boards]

You are pretty funny! lol. Later and thanks for the info, I should probably
get cracking.

Kindred spirits? Oh, the prospect...

Anno