On Oct 30, piavlo wrote:
>anomalizer Wrote:
>-------------------------------------------------------
>
>> Are you trying to limit genuine or malicious
>> users? A malicious user can
>> always circumvet the limites by creating his own
>> cookies and sending
>> them.
>
>Genuine users of specific application - this why I though that session
>should be most reliable way. The other option is to limit by IP but
>AFAIU this is not good in case several users are connecting from behind
>the same proxy. Could you recommend other options?

You need some sort of a way to ensure that the per user token (in this
case session id in a cookie) was actually issued by you. The token
should have the following properties:

* Computationally inexpensive to check if you had issued the token

* Computationally prohibitive for others to create a token that will
pass the test above


Failure to produce a legitimate toke by the user shoudl result in a HTTP
403