[RESOLVED] prevent massive ajax requests in PHP
Maybe this is a stupid question.
Let's suppose I have a login system for users, and that logged users can insert posts of texts using Ajax requests on the data base. A logged user can use Firebug to post a big amount of posts on the data base.
I could use a CSFR token, but once the user has the token in the client side, she/he could use the token to perform thousands of Ajax requests.
Thank you very much!!
You could set some kind of token (CSFR or other) and save it in $_SESSION, and then also track in $_SESSION number of requests against that token and/or the last request time. Then for any request using the token, in addition to checking if it's valid, you could also add criteria with whatever logic/throttling you like, to reject requests when your logic points to misuse (perhaps regenerating the token at that point?).
Hi NogDog, thank you for your answer!
I see what you mean. But I think there is a problem with tracking in $_SESSION the number of requests. The user could clean the cookies and session values, relogin again, and began to perform massive requests. Let me know if I am right or I am speaking rubbish, because I am not sure of this and I am not an expert.
Thanks a lot!
First off, I'd say that denial of service attacks are probably better handled at the firewall than in the application code (and as such gets pretty far outside my comfort zone in terms of knowledge).
That being said, the user can't touch the actual session data, as that is stored on the server. They could, however, keep clearing the session cookie so that the app creates a new session, though that would then assume they would need to call the initial page again so that it would create a new token or whatever that is tracked in the session data. If you really feel you need to handle such a situation, then you're probably limited to IP address tracking, with the problems that can create (different users coming from the same IP, e.g.).
Maybe you could throttle requests by the above tracking of requests in $_SESSION, and as the number increases, start adding proportional delays to responses? Or maybe just track the time of the last request, and if the difference is less than some arbitrary amount, inject a delay of a couple seconds?
But if some script kiddie feels the need to swamp your server, I do feel you're getting into something that's more firewall and network related than application code related.
This isn't really my area of expertise but I do have a few ideas. Since this seems to be something that requires a user to be logged in first then perhaps you could simply have a limit of request per minute (for example we'll say one). Thus a user who is logged in will send an AJAX request, the server will check their last request and decide if they can write a new post to the database or not.
A similar solution is to merely check the last post time for a user and only let me make a new post in the database every 60 seconds or so (similar to what this forum does).
Of course in both cases I suppose you could still worry about a large number of request that will cause your PHP to read the database a large number of times, putting stress on the server. In this case I'd suggest something along the lines of what NogDog mentioned in terms of tracking request per minute in $_SESSION and simply exiting if a certain number of request per minute is hit.
Ultimately you can't stop anyone from spamming request to your server. Whether they use firebug (or any dev console) to actually run AJAX request or they build an application to do it the request will still be made to your server. In your original post your concern seemed to be with adding post to your database, and in this case you shouldn't have too much trouble modifying your code to prevent the spamming of records in the database. Your server could still be spammed but it'll be up to your PHP code to decide if it should ignore the request or write it to the database (based on suggestions mentioned in this topic). Good luck (but I don't think it'll be too much of a problem).
"Given billions of tries, could a spilled bottle of ink ever fall into the words of Shakespeare?"
NogDog I did not know that this things could be handled at the firewall level. I think this is a very good solution.
Thank you very much to all of you!!
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)