![]() |
![]() |
![]() |
||||
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
![]() ![]() |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
![]() |
#1 |
see you later, I'm gone
Industry Role:
Join Date: Oct 2002
Posts: 14,078
|
Business (sort of): Protecting an ajax called page from abuse?
Ok, here's the deal.
I am calling a page via ajax. That page is the content for the main page. I decided to do it via ajax just for the smoother user interaction so that I don't have to reload the entire page on all refresh. Also there are some javascript routines that may be running that would be reset (go away) if I do a fresh page call. I want to protect this page from being called by anything except the main page of the site. As it is I think the page is ripe to be used as a DDOS attack mechanism against the site. The front page is flat html. I would prefer not to bring php in there but if I have to I will. Solutions I have investigated: 1. checking for a cookie. Good solution but can be faked out. However, if I do the cookie check I have a bunch of reweriting to do as the cookie set I have in there takes place after the initial ajax call so the cookie does not exist at the time of the call. 2. htaccess - referer protection or checking referer in the script called via ajax. Again, can be faked and also have those folks that have referer disabled will not be able to use the site. 3. session/token generation and passing. This would require me to put php into the front html page. It is also easy to get around since I am not running on https so token values would be passed in a readable form. So, anybody have any ideas or solutions they have used? Thanks in advance
__________________
All cookies cleared! |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#2 |
Registered User
Industry Role:
Join Date: Jul 2013
Posts: 82
|
Wouldnt technically calling your ajax page 1000 times be the same as an individual calling any of your other pages 1000 times? unless you are running hard queries on that ajax page you will be fine, if you are then block by ip/count/time.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#3 |
♦ Web Developer ♦
Industry Role:
Join Date: May 2005
Location: Full-Stack Developer
Posts: 12,470
|
I would use #3 ...
Since PHP Sessions are server-side, how could those be "hacked"? On the AJAX page, all you would have to do is see if that Session var was set, if not: die() , else ... do whatever it needs to do. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#4 |
Confirmed User
Industry Role:
Join Date: Sep 2010
Location: The Land Of Gods
Posts: 167
|
As far as DDOS attacks concerned , you should use Haproxy in the front since it takes care of that automatically, not only for scalability but also for safety.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#5 | ||
see you later, I'm gone
Industry Role:
Join Date: Oct 2002
Posts: 14,078
|
Quote:
Quote:
Thanks for the answer. Thanks for the suggestion.
__________________
All cookies cleared! |
||
![]() |
![]() ![]() ![]() ![]() ![]() |