Frage
I want to create a login page with captcha code in php. after user entered user - pass and captcha code he will be login. After that some session and cookies stored in cookies. if someone export these cookies also session and import to a command line browser like wget or elinks and modify user-agent in header (and change to as same as browser he logged in once before) he can login with that info without enter user and pass and then make a loop 10000000 times refresh a page in my application and makes useless process on my server .How can I prevent this condition ?
one solution that i thought was store $_SERVER['REQUEST_URI'] and store it in db and count a counter for each refresh if the hits was more than 50 times in an hour then i detect it is an attack is the another solution to prevent it ?
Edit:
it works with this parameter: session_regenerate_id(true);
Lösung
To prevent this you can use
https://stackoverflow.com/questions/16214443
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiansession_regenerate_id()
function. This function can be used to regenerate/change the session ID of the current session. This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.
