Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 01-23-2014, 05:20 PM   #1
sarettah
see you later, I'm gone
 
Industry Role:
Join Date: Oct 2002
Posts: 14,078
Business (sort of): Protecting an ajax called page from abuse?

Ok, here's the deal.

I am calling a page via ajax. That page is the content for the main page. I decided to do it via ajax just for the smoother user interaction so that I don't have to reload the entire page on all refresh. Also there are some javascript routines that may be running that would be reset (go away) if I do a fresh page call.

I want to protect this page from being called by anything except the main page of the site. As it is I think the page is ripe to be used as a DDOS attack mechanism against the site.

The front page is flat html. I would prefer not to bring php in there but if I have to I will.

Solutions I have investigated:

1. checking for a cookie. Good solution but can be faked out. However, if I do the cookie check I have a bunch of reweriting to do as the cookie set I have in there takes place after the initial ajax call so the cookie does not exist at the time of the call.

2. htaccess - referer protection or checking referer in the script called via ajax. Again, can be faked and also have those folks that have referer disabled will not be able to use the site.

3. session/token generation and passing. This would require me to put php into the front html page. It is also easy to get around since I am not running on https so token values would be passed in a readable form.

So, anybody have any ideas or solutions they have used?

Thanks in advance
__________________
All cookies cleared!
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 01-23-2014, 05:57 PM   #2
valeriyCE
Registered User
 
Industry Role:
Join Date: Jul 2013
Posts: 82
Wouldnt technically calling your ajax page 1000 times be the same as an individual calling any of your other pages 1000 times? unless you are running hard queries on that ajax page you will be fine, if you are then block by ip/count/time.
valeriyCE is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 01-23-2014, 06:07 PM   #3
Miguel T
♦ Web Developer ♦
 
Miguel T's Avatar
 
Industry Role:
Join Date: May 2005
Location: Full-Stack Developer
Posts: 12,470
I would use #3 ...
Since PHP Sessions are server-side, how could those be "hacked"?

On the AJAX page, all you would have to do is see if that Session var was set, if not: die() , else ... do whatever it needs to do.
__________________

Full Stack Webdeveloper: HTML5/CSS3, jQuery, AJAX, ElevatedX, NATS, MechBunny, Wordpress
Miguel T is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 01-23-2014, 06:23 PM   #4
Firestarter30
Confirmed User
 
Industry Role:
Join Date: Sep 2010
Location: The Land Of Gods
Posts: 167
As far as DDOS attacks concerned , you should use Haproxy in the front since it takes care of that automatically, not only for scalability but also for safety.
Firestarter30 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 01-23-2014, 06:47 PM   #5
sarettah
see you later, I'm gone
 
Industry Role:
Join Date: Oct 2002
Posts: 14,078
Quote:
Originally Posted by valeriyCE View Post
Wouldnt technically calling your ajax page 1000 times be the same as an individual calling any of your other pages 1000 times? unless you are running hard queries on that ajax page you will be fine, if you are then block by ip/count/time.
Yes, it would in essence I guess. Lol. I may be being too paranoid. been seeing security and attack holes everywhere these days and I am just trying to make this as tight as possible. Thanks

Quote:
Originally Posted by AbsolutePorn View Post
I would use #3 ...
Since PHP Sessions are server-side, how could those be "hacked"?

On the AJAX page, all you would have to do is see if that Session var was set, if not: die() , else ... do whatever it needs to do.
Hmm. you are right. Head has been down in code too long. I was envisioning passing under the sheets so to say. but yes, I could probably do session tracking and switch the front from flat htm to php.

Thanks for the answer.

Quote:
Originally Posted by Firestarter30 View Post
As far as DDOS attacks concerned , you should use Haproxy in the front since it takes care of that automatically, not only for scalability but also for safety.
Thanks for the suggestion.
__________________
All cookies cleared!

Last edited by sarettah; 01-23-2014 at 06:49 PM..
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.