Anti flood : session or db stocking ips

Question

Hi, right now I'm using an antiflood function in all my websites :

function flood($name,$time)
{
 $name = 'tmptmptmp'.$name;
 if(!isset($_SESSION[$name]))
 {
  $_SESSION[$name] = time();
  return true;
 }
 else
 {
  if(time()-$time > $_SESSION[$name])
  {
   $_SESSION[$name] = time();
   return true;
  }
  else
  {
   return false;
  }
 }
}

I use it this way :

if(flood('post',60)) do something;
else 'you're posting too fast';

Is this way safe ? Or do I need to replace it/complete it with a db table stocking ips and checking if they did a request earlier ?

Answer 1

It depends. How likely are your users going to clear their cookies to get past your anti-flood protection? I'll say that if they have to login again, 99% of the users won't even bother.

But sure, if you really want better method, store the ips in the DB. But even that can be defeated by getting a new IP.