B Clark wrote:
Any other ideas you might have in protecting web apps from bots would be welcomed.
Don't invent your own security service. Use one that's been tested and proven. Pretty much every do-it-yourself login/authentication system I've seen has had major flaws. No small number of them resemble the stereotypical Western town movie sets, where all that exists is the front of the building, so all you have to do is (figuratively speaking) walk around to the side. Even the better ones tend to break down once they go into maintenance mode and people who don't understand the rules get their hands on the code.
J2EE has a built-in security framework that will actually block really offensive URL requests from even getting to the application at all. While there are things I could do to improve it, I've managed to use it - or frameworks based on it - for pretty much all my security needs, and I work in areas where security is a little more critical than some people's.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.
