How to secure Ajax link requests?

2018-04-16 admin

Alpha2k提出了一个问题:How to secure Ajax link requests?,或许与您遇到的问题类似。


While you can not control this 100%… there are a few options…

Try using the same methods that people use with Captcha scripts…

Basically when the user loads the form / page… You generate a random string/id in their PHP session and store it… When they send the ajax requests, have your ajax check also append the string/id and require it before allowing a check to perform else return a header of 500 or something…

Using this approach with sessions, you could set a allowed limit of checks (say 5) and once the user has tried more than 5 checks, They are required to reload the page or perform a human check (eg Captcha)… Then it resets their count… Even allow a total of say 30 within 1 hour / per IP or something.

Also use smart events to trigger when the ajax check is done, eg field/tab change or on a button press… Or when a valid email is detected… but say would trigger twice.

Basically this way, even if someone sniffed your JS files and tried to automate the email checker… It would require them finding a way to append the string/id that you generate and also limit their amount of requests performed.

Beyond this, there is not to much more you can do easily… But there are still a few other idea’s.

Most of them would work around using a PHP session / cookie… Say for example if they check and find 3 email addresses… Then again you set that as a limit and force them to require a manual submission or something.

See how the above suggestion goes for you, any questions do feel free to ask. But may take me a day or two to reply as weekend… Also research how Captcha scripts work as plenty of source code for them… As they work on the same idea.

Time Delays will simply look bad / make your site appear slow / bug the user with waiting for a response.

You need to limit the amount of look up’s per session / ip address… Otherwise there is always a way to get past these checks… Basically once they hit a limit… Force the user/ip/session to wait a few minutes/hours and verify them with a Captcha script so it can not be scripted…

Javascript Security / Hiding The Source

While you can not do this truly, you can do certain things generate the JS using a PHP page with a JS header… so <script src='myjscode.php'></script> and this allows PHP to check for a valid session… So stops external requests to an extent… But this is mostly useful for allowing JS to be only available behind a membership/login…

Multiple Checks / If Possible In This Case

Depending on your approach, is this for a user to check if they already have an account? If so… you could combine the email check with something like their name/country/age/dob … So they would need to select two or three correct matching values before being able to get a check/response from the ajax call?

Maybe not in your case, but just thought would add this as well.




转载请注明:文章转载自 JavaScript中文网 []


文章标题: How to secure Ajax link requests?

简介: 《Effective JavaScript:编写高质量JavaScript代码的68个有效方法》共分为7章,分别涵盖JavaScript的不同主题。第1章主要讲述最基本的主题,如版本、类型转换要点、运算符注意事项和分号局限等。第2章...
《Ajax 从入门到精通》PDF
简介: Ajax 由 HTML、java script™ 技术、DHTML 和 DOM 组成,这一杰出的方法可以将笨拙的 Web 界面转化成交互性的 Ajax 应用程序。本系列的作者是一位 Ajax 专家,他演示了这些技术如何协同工作 ——...
简介: 本书是为从未接触过HTML5新技术但同时又对移动web技术感兴趣的读者而编写的。如果你有一定的HTML开发经验,将会更容易掌握HTML5知识。本书共分为四大部分,第一部分主要讲述Web技术的发展及HTML5标准在移动Web技术中的应...
《JavaScript完全自学手册》 javascript是一种几乎得到所有浏览器支持的脚本语言,用于实现客户端与浏览者的互动。随着互联网的发展,早期的静态网页已远不能满足需要。客户端脚本javascript是实现动态网页的基础,也是web...
《JavaScript学习指南(第2版)》通过列举JavaScript应用的最佳实践和示例,本书展示了如何将该语言集成到浏览器环境中,及如何在符合标准的网站中应用这些已通过实践验证的编码技术。 本书内容: ● JavaScript应用程序的...
《HTML 5实战》是一本系统而全面的HTML 5教程,根据HTML 5标准的最新草案,系统地对HTML 5的所有重要知识点进行了全面的讲解。在写作方式上,本书以一种开创性的方式使理论与实践达到极好的平衡,不仅对理论知识进行了清晰而透彻的阐...