I’ve created a simple script that allows a user to post a message, question or discussion on my site. I’ve not got anything online yet so I can’t show you, but one thing I don’t want is registration.
I want a simple, streamlined and quick way for anybody to come on to my site and post a message, to which others can respond (also without registration).
My question is about security. I’ve made it so that a person may edit their own message only if the following conditions are met:
- The IP address
($_SERVER['REMOTE_ADDR'])matches the one used to ask the question (I store it in the database). - No more than 20 minutes have elapsed.
I want to know how easy this would be to break, and how I can make it stronger. I’m an absolute newby when it comes to security and I’ll state now I have no real interest in this side of development, I’m more of a client/server developer, but my strong point is JavaScript.
I’m not too clued up on networking either. How easy is it to spoof an IP address and also how common is it to find two users with identical addresses? I am thinking about making a session ID which will be stored in a temporary database as a third clause that must exist in order for edits to take place. Of course this means users will not be able to leave the site and come back to edit.
Could anyone give me some advice on the best way to proceed?
Note: I want to make it clear that I absolutely do not want registration, which would eliminate this problem entirely. I want a free to use, public site that anyone can simply come along and use.
Note 2: I’ve also taken care of the bot problem with a simple piece of JavaScript requiring the user to interact with the site (quicker than CAPTCHA), so no worries here.
Kind regards.
AFAIK your approach is correct, and you could combine it with a cookie to avoid the multiple-users-on-same-ip problem (of course state this on your site).