Rails app on Heroku - Please recommend defensive programming techniques

I've just put a Rails ap开发者_JAVA百科p live on heroku.com which services some touchscreen kiosks and have had my first taste of malicious users with some bogus service bookings. I would like some suggestions on audit data which I can log to help me to track down or otherwise discourage or prevent such malicious activities.

Some brief background - I have designed a Rails based website which is targeted towards the Tourist industry and allows customers to book accommodation and other tourist related services such as boat trips. We run this application on touchscreen kiosks (think 6.5 foot tall units with 40" touch screens) and email notifications of bookings to service providers.

What I'm looking for is suggestions on things that I can record at the point of bookings (and other transactions) taking place so that I can help to authenticate valid bookings and record details which can be used later to trace these bogus bookings. I might then add this information to a black-list to block these machines from creating further problems.

I'm already recording the request.remote_ip address but would ideally like to be able to record the hostname of the remote_ip as well since the IP address might change dynamically. Is this possible? Should I create a random key and store it as a cookie to identify each client machine uniquely?

I'm not looking to prosecute every person who makes a bogus booking, I just want to be able to discourage, prevent or track such malicious activity and would appreciate any suggestions on how best I can do this.

Many thanks, Craig.

The question is a bit vague I think. You need to look at what you know: what actually IS a non-valid bogus booking? How did you personally figure out that some particular booking was bogus? Did someone tell you, did you figure it out from the data yourself?

You first need to gather all the bits and pieces you have of bogus bookings, and if there is a pattern then that is what you implement as a filter. I mean if someone knew a booking was bogus, why did your system not know it?

Logging IP addresses and hostnames is kind of futile..you'll never catch whoever did it this way. Why not validate up-front with credit card numbers or minimum a confirmed e-mail address? If you have an up-front credit card number then you have a direct link to the person for disputes and/or blocking further attempts by card number. IP addresses are too hard to track.

An IP address can be converted to a hostname by a reverse lookup, but if the IP changes the hostname changes too. If you alreay log an IP, you can always do a reverse lookup later, but I don't really see the value of knowing the host name(?).