Throttle free look-ups – prevent outright data theft

Question

Consider this scenario:

A client sells data in which they want to allow a number of free lookups to anyone visiting their site. However, they want to prevent someone from getting the entire 300,000+ records in attempt to compete with them. Also, putting a cap on the number of legitimate free lookups in any given session is desirable.

For bots, these are not ruled out, but looking for alternatives: Captcha (would like to avoid for sake of client experience), using a simple honey pot (maybe, but trying to beef it up a bit).

Any major holes in the following? -- (or a different direction altogether?)

I'm considering using a counter to track (and limit) the number of lookups. I would update the count on the client (hidden field) and on the server (probably session) to make sure they are in sync each time a post is made. Knowing a bot would likely populate the "count" field, I would also increment it by 3 (or anything) to make it hard to predict. If what the client sends doesn’t match the session value, they're sent to Siberia... or perhaps a verification page. If it’s a human, then they cap out at x/3.

Feedback appreciated

Answer 1

Not sure why you need to keep track on the client and server side, but simply handing a cookie that never expires to your visitors will help you keep track of their activity on the server side. The client side tracking is just a lot of extra work that you don't need to put yourself thru

Answer 2

For those looking... this answered the question:

Toward Viable CAPTCHA Alternatives By Peter Bromberg