How to prevent automatic AJAX attacks

Question

How to prevent automatic AJAX attacks

How to prevent USER from using automatic messages / spam?

Here is my way to do this, a new php session for every page request that has its limitations, there is no multitasking.

I used a new session for each page as protection against CSRF and automatic attacks. Let's say we have a forum that uses AJAX to publish threads and test it using PHP SESSION.

add_answer.php? ID = 123

<?php
if(!is_ajax()){// function that determines whether the request is from ajax (http header stuff)
$_SESSION['token'] = md5(rand());
}
//some ajax request to ajax.php?id=123
?>

ajax.php? ID = 123

<?php
if($_SESSION['token'] == $_GET['token']){
echo 'MYSQL INSERT stuff';
}else{
echo 'Invalid Request';
}
?>

, page.php? id = 456 , ajax " " ajax.php? id = 123 , . , / - . - , . ?

, AJAX?

PS:

captchas.
Google - .
.
, , , , , .

+5

security php mysql csrf

kornesh 25 . '11 4:31

3

DoS, , , hashcash ( PHP JavaScript).

, , hashcash - , , . , , , .

, , hashcash ( , , -, , ), (- -), , .

, API AJAX , API.

+1

Jeffrey Hantin 25 . '11 4:57

USER /?

, . . , CSRF. , , .

: , "" "". , . . SO .

:

x y , DB ", ". , .
- , , , - deny DB ", " ", ". "", , .
, , . "" .

, , , , . db, , .

In the “HTTP Header Header” note, the headers are intended only to work out the best guess and courtesy of what the client is requesting. They are as hard to fake as cookies, and cookies are just a click away. And honestly, I personally would not have another way.

+1

bob-the-destroyer Jan 25 '11 at 5:20

source share

Matchu · Accepted Answer · 2011-01-25T04:45:48+0000

, , , , . , .

-, , , . ( , , , .) , , :

.
.
.
1.

(, , , " AJAX" , . , - ID PHPSESSID cookie.)

, -, . , , CSRF.

CSRF, , , , . CSRF , .

TL; DR: . .

! , , . : .

. CSRF. .

. . .

, Form A Form B, -CSRF (CSRF ), ( ). - .

, , . , . , , .

How to prevent automatic AJAX attacks

More articles: