I have some measures in place to block bots or malicious users from abusing my booking form as follows:
1. Add their IP address into the form on the first page and then on page 2, read it into the SESSION.2. When they process payment, check their IP address against the one in the SESSION to validate they have gone through the process and not just a bot POSTing directly to the process payment page – IF no IP found, redirect back to first page3. Each time the process payment page is requested, increment the IP address counter and if they reach 5 attempts – Add their IP address to blacklist and also add their email to bannedEmails list
This works ok BUT I have noticed that legitimate users are also being blocked because no SESSION is present.
I have the form sitting on domain1.com and it is loaded into an iframe over the wordpress site.
I have two other websites – domain2.com and domain3.com which both load the same form from domain1.com into an iframe over their respective websites but I found that chrome wont allow SESSIONs to be created cross site so users were getting blocked so now, I just open the booking page directly from each of these sites into a new browser window.
This seemed to fix the problem in testing BUT some SESSIONS are still not being loaded.
Why is the SESSION on randomly generated and how can I either force the SESSION or use an alternate method of validation.