GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Business (sort of): Protecting an ajax called page from abuse?

sarettah · 01-23-2014, 05:20 PM

Ok, here's the deal.

I am calling a page via ajax. That page is the content for the main page. I decided to do it via ajax just for the smoother user interaction so that I don't have to reload the entire page on all refresh. Also there are some javascript routines that may be running that would be reset (go away) if I do a fresh page call.

I want to protect this page from being called by anything except the main page of the site. As it is I think the page is ripe to be used as a DDOS attack mechanism against the site.

The front page is flat html. I would prefer not to bring php in there but if I have to I will.

Solutions I have investigated:

1. checking for a cookie. Good solution but can be faked out. However, if I do the cookie check I have a bunch of reweriting to do as the cookie set I have in there takes place after the initial ajax call so the cookie does not exist at the time of the call.

2. htaccess - referer protection or checking referer in the script called via ajax. Again, can be faked and also have those folks that have referer disabled will not be able to use the site.

3. session/token generation and passing. This would require me to put php into the front html page. It is also easy to get around since I am not running on https so token values would be passed in a readable form.

So, anybody have any ideas or solutions they have used?

Thanks in advance

01-23-2014, 05:20 PM
sarettah see you later, I'm gone Industry Role: Join Date: Oct 2002 Posts: 14,078	Business (sort of): Protecting an ajax called page from abuse? Ok, here's the deal. I am calling a page via ajax. That page is the content for the main page. I decided to do it via ajax just for the smoother user interaction so that I don't have to reload the entire page on all refresh. Also there are some javascript routines that may be running that would be reset (go away) if I do a fresh page call. I want to protect this page from being called by anything except the main page of the site. As it is I think the page is ripe to be used as a DDOS attack mechanism against the site. The front page is flat html. I would prefer not to bring php in there but if I have to I will. Solutions I have investigated: 1. checking for a cookie. Good solution but can be faked out. However, if I do the cookie check I have a bunch of reweriting to do as the cookie set I have in there takes place after the initial ajax call so the cookie does not exist at the time of the call. 2. htaccess - referer protection or checking referer in the script called via ajax. Again, can be faked and also have those folks that have referer disabled will not be able to use the site. 3. session/token generation and passing. This would require me to put php into the front html page. It is also easy to get around since I am not running on https so token values would be passed in a readable form. So, anybody have any ideas or solutions they have used? Thanks in advance __________________ All cookies cleared!