Business (sort of): Protecting an ajax called page from abuse?

[sarettah]

Ok, here's the deal.

I am calling a page via ajax. That page is the content for the main page. I decided to do it via ajax just for the smoother user interaction so that I don't have to reload the entire page on all refresh. Also there are some javascript routines that may be running that would be reset (go away) if I do a fresh page call.

I want to protect this page from being called by anything except the main page of the site. As it is I think the page is ripe to be used as a DDOS attack mechanism against the site.

The front page is flat html. I would prefer not to bring php in there but if I have to I will.

Solutions I have investigated:

1. checking for a cookie. Good solution but can be faked out. However, if I do the cookie check I have a bunch of reweriting to do as the cookie set I have in there takes place after the initial ajax call so the cookie does not exist at the time of the call.

2. htaccess - referer protection or checking referer in the script called via ajax. Again, can be faked and also have those folks that have referer disabled will not be able to use the site.

3. session/token generation and passing. This would require me to put php into the front html page. It is also easy to get around since I am not running on https so token values would be passed in a readable form.

So, anybody have any ideas or solutions they have used?

Thanks in advance

[valeriyCE]

Wouldnt technically calling your ajax page 1000 times be the same as an individual calling any of your other pages 1000 times? unless you are running hard queries on that ajax page you will be fine, if you are then block by ip/count/time.

[Miguel T]

I would use #3 ...
Since PHP Sessions are server-side, how could those be "hacked"?

On the AJAX page, all you would have to do is see if that Session var was set, if not: die() , else ... do whatever it needs to do.

[Firestarter30]

As far as DDOS attacks concerned , you should use Haproxy in the front since it takes care of that automatically, not only for scalability but also for safety.

[sarettah]

Quote:

Originally Posted by valeriyCE

Wouldnt technically calling your ajax page 1000 times be the same as an individual calling any of your other pages 1000 times? unless you are running hard queries on that ajax page you will be fine, if you are then block by ip/count/time.

Yes, it would in essence I guess. Lol. I may be being too paranoid. been seeing security and attack holes everywhere these days and I am just trying to make this as tight as possible. Thanks

Quote:

Originally Posted by AbsolutePorn

I would use #3 ...
Since PHP Sessions are server-side, how could those be "hacked"?

On the AJAX page, all you would have to do is see if that Session var was set, if not: die() , else ... do whatever it needs to do.

Hmm. you are right. Head has been down in code too long. I was envisioning passing under the sheets so to say. but yes, I could probably do session tracking and switch the front from flat htm to php.

Thanks for the answer.

Quote:

Originally Posted by Firestarter30

As far as DDOS attacks concerned , you should use Haproxy in the front since it takes care of that automatically, not only for scalability but also for safety.

Thanks for the suggestion.