While writing server code for resend confirmation page something came to my mind

Question

While writing server code for resend confirmation page something came to my mind: an attacker could make several requests to /resendemail?user=blah (example URL) and flood such user with registration emails (of course, as long as the user exists and hasn't confirmed their email).

My first idea was to limit request per-session, however, this can be bypassed very easily. Per-IP limit is too much trouble too implement and can be bypassed too (i.e. using several proxies), so I'm confident there must be something simple enough to mitigate this sort of exploit.

Explanation / Answer

Rate-limit on a per-user or per-email-address basis. Since re-sending confirmation emails is rare, setting the limit absurdly low (say, two re-sends per day) should be sufficient to keep from flooding a user.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.