I am creating a Grails application and I'm trying to figure out the best way to prevent a user from spamming posts on my server. I have an infinite number of forms where they can leave comments. I don't want them to have the ability to send a million comments. I know there exists a way to mock "server lag" so that the data rate slows down. Within the grails framework, is there a good way to set the maximum post size limit/rate?
I tried looking into any possibility of setting this via the tomcat properties but I wasn't having too much luck there with my own research.
Thanks much!!!
If I understand the question correctly, you want to restrict the size of a post which is provided by the user. If yes, then you can add the maxSize constraint in the domain class (or any command object if it is used).
If you are looking to prevent form re-submission then you can use formTokens to prevent a duplicate submission.
Related
I am not sure what is better perfomance whise so I ask you guys.
The problem is following:
I have a system where each User gets a certain amount of credit for certain events. So I gave my User an attribute named creditscore that gets altered on those events. Everything works well. But now I want the user to actually see what he did when and how much credit he got for this.
What would be better here:
Saving the whole history in a text attribute and add lines for each event
or
writing an extra model associated with the user and create an instance for every event.
or
or
something way different?
Since there are several events per user per day it would be either a huge text or a huge amount of instances. What would be better looking at website performance.
You absolutely do NOT want to store the history in a text attribute. Management of this will be a nightmare as will querying the data.
You could create a CreditEvent model and store the individual events in there. That would work fine.
However, before you start, check rubygems.org and ruby-toolbox.com to see if someone has already done the hard work. I know of at least one gem that seems to do exactly what you want to do:
https://github.com/merit-gem/merit
Apologies in advance as I'm sure this topic has no doubt been asked before but I couldn't find any post that answers my specific query.
Bearing in mind that I'm new to MVC this is where I have got to. I've got a project developed under VS 2010 using the MVC 3 framework. I've got a search page which consists of 6 fields and a nested model which itself holds around 3 fields.
I can successfully post all this data back to itself and the data is successfully passed as a model and back agian so the fields keep the data which the user has supplied.
Before I move on to actually using this search criteria on another view a thought hit me. I want to keep this search criteria, and possibly even the search results in memory for the duration of the users session.
The reasoning behind this is simply to save my users time by:
a) negating the need to keep re-inputting their search criteria regardless of how they enter or leave the search page
b) speed up the user experience by presenting the search results more quickly
The later isn't as important as the first requirement.
I've done some google searches and indeed had a look through this site on similar topics. From what I've read using sessions (which I would typically use if developing a PHP site) is a no no. From the reasons I've read as to why you shouldn't use sessions seem valid and I'm happy to go along with it.
But now I'm left in a place where I'm scratching my head wondering to myself what exactly is best practice to achieve this simple goal that could be applied to similar situations later down the line in the project.
I also looked at the OutputCache method and that didn't behave as I expected it to. In a test I set the timeout for 30 seconds. After submitting a search I clicked the link to my search page to see if the fields would auto-populate, they didn't. But then clicking the search button the values in the cache were retrieved. I thought I was making progress but when I tried to submit a new value the old value from the cache came back i.e. I couldn't actually change my search criteria with the cache enforced. So I've discounted this as an avenue to explore.
The last option seems to suggest the use of cookies as the most likely candidate, but rightly or wrongly I feel this isn't the best solution. I would have thought the MVC 3 design pattern would have an easier and recommended method of persisting values. I'm sure there is but I've just not discovered it yet.
I have started to use JQuery and again this has been mentioned but I'm not sure this is right direction to take either.
So in summary my question really comes down to what is considered by the wider community as best practice for persisting data in my situation. Effiency, scalability and resiliancy is paramount as I'll have a large global user base that will end up using this web app.
Thanks in advance!
Pete
I'd just use cookies. They're simple to use, you can persist them for as long as you want or have them expire when the users closes their browser, and it doesn't sound like you are storing anything sensitive in them.
I have a Rails application that has a search field that allows any visitor to search a database.
I'm hesitant to implement a Captcha because I'd like to keep the site clean and user-friendly.
However, I'd like to make it difficult for bots to try to harvest everything from the database by making tons of consecutive random queries. So I'm considering adding a Captcha that appears only if it looks like this is happening (e.g., the Captcha appears after a few bad searches).
Any suggestions for how to implement this? Should I try to use a session variable or keep track of IP addresses? Would I better off handling this issue at the server level (i.e., with an htaccess file)?
Consider using a honeypot. That means adding a form element that you hide with CSS. Bots cannot see that you've hidden the field and they will fill it in. Normal users will not fill it in.
I have a rails app where i have a Contact model and with an embedded address document so a contact can have multiple address's all stored in the one document.
I want to use backbone on the front end to have a contact page to edit contact details ie name, age and then also to add many address's.
What is the way to do this ? Should i be posting the whole contact model including all address's each time a field is changed or an address is added / removed ?
Or should i be doing pop / push atomic operations some how?
I am using mongomapper by the way.
I hope someone can explain the way this works?
thanks
rick
First, have a look at this question which discusses the full update versus the incremental update approach:
Voting system with Backbone.js
That is for a simple counter, so the $inc operator is not what you are looking for, however you can use other atomic operators (like $set), for in place updates, see here:
http://www.mongodb.org/display/DOCS/Atomic+Operations
The last thing you then will want to think about is the document size. If you allow the user to have an infinite number of addresses then be prepared to incur hits if/when the document exceeds its original size (plus some padding). That can mean more IO and updating indexes etc. A full discussion is beyond the scope of this question, but check out this page for a start:
http://www.mongodb.org/display/DOCS/Updating
Hope that helps!
I would like to stress (not sure this is the right word, but keep reading) the [POST] actions of my controllers. Does a tool exist that would generate many scenarios, like omitting fields, adding some, generating valid and invalid values, injecting attacks, and so on ? Thx
Update: I don't want to benchmark/performance test my site. Just automatically filling/tampering forms and see what happens
WebInspect from Spidynamics (HP bought them).
I've used this one in my previous job (I recommended it to my employer at the time) and I was overwhelmed with the amount of info and testing I could do with it.
https://download.spidynamics.com/webinspect/default.htm
Apache JMeter, is more likely to benchmark/stress itself rather than your site. I was recently pointed twards Faban which can be used for very simple and more complex tests and scenarios, its very performant. Also, take a look at OpenSTA and WebLoad both free and powerful with capabilities to record and replay complex scenarios.
Apache JMeter might fit the bill?
Have you seen CrossBow Web Stress Tester over at CodePlex?
supports get and post operations
you specify the number of threads, requests, waits, and timeouts
reads a txt file with name/value pairs for posting values
You'd have to download & modify the source if you wanted to generate random data for your Post variables.
Build one yourself by using WebClient with HtmlAgilityPack. Use agilitypack to parse your html and get the form, then just randomly fill the fields and make POSTs