Results 1 to 6 of 6

Thread: [RESOLVED] prevent massive ajax requests in PHP

  1. #1
    Join Date
    Mar 2012

    resolved [RESOLVED] prevent massive ajax requests in PHP

    Hi everyone!!

    Maybe this is a stupid question.

    Let's suppose I have a login system for users, and that logged users can insert posts of texts using Ajax requests on the data base. A logged user can use Firebug to post a big amount of posts on the data base.

    How can I prevent this? To prevent a user to use client side JavaScript to post a big amount of Ajax requests. I am using PHP as the server language.

    I could use a CSFR token, but once the user has the token in the client side, she/he could use the token to perform thousands of Ajax requests.

    Thank you very much!!

  2. #2
    Join Date
    Aug 2004
    You could set some kind of token (CSFR or other) and save it in $_SESSION, and then also track in $_SESSION number of requests against that token and/or the last request time. Then for any request using the token, in addition to checking if it's valid, you could also add criteria with whatever logic/throttling you like, to reject requests when your logic points to misuse (perhaps regenerating the token at that point?).
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Join Date
    Mar 2012
    Hi NogDog, thank you for your answer!

    I see what you mean. But I think there is a problem with tracking in $_SESSION the number of requests. The user could clean the cookies and session values, relogin again, and began to perform massive requests. Let me know if I am right or I am speaking rubbish, because I am not sure of this and I am not an expert.

    Thanks a lot!

  4. #4
    Join Date
    Aug 2004
    First off, I'd say that denial of service attacks are probably better handled at the firewall than in the application code (and as such gets pretty far outside my comfort zone in terms of knowledge).

    That being said, the user can't touch the actual session data, as that is stored on the server. They could, however, keep clearing the session cookie so that the app creates a new session, though that would then assume they would need to call the initial page again so that it would create a new token or whatever that is tracked in the session data. If you really feel you need to handle such a situation, then you're probably limited to IP address tracking, with the problems that can create (different users coming from the same IP, e.g.).

    Maybe you could throttle requests by the above tracking of requests in $_SESSION, and as the number increases, start adding proportional delays to responses? Or maybe just track the time of the last request, and if the difference is less than some arbitrary amount, inject a delay of a couple seconds?

    But if some script kiddie feels the need to swamp your server, I do feel you're getting into something that's more firewall and network related than application code related.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Mar 2005
    Behind you...
    This isn't really my area of expertise but I do have a few ideas. Since this seems to be something that requires a user to be logged in first then perhaps you could simply have a limit of request per minute (for example we'll say one). Thus a user who is logged in will send an AJAX request, the server will check their last request and decide if they can write a new post to the database or not.

    A similar solution is to merely check the last post time for a user and only let me make a new post in the database every 60 seconds or so (similar to what this forum does).

    Of course in both cases I suppose you could still worry about a large number of request that will cause your PHP to read the database a large number of times, putting stress on the server. In this case I'd suggest something along the lines of what NogDog mentioned in terms of tracking request per minute in $_SESSION and simply exiting if a certain number of request per minute is hit.

    Ultimately you can't stop anyone from spamming request to your server. Whether they use firebug (or any dev console) to actually run AJAX request or they build an application to do it the request will still be made to your server. In your original post your concern seemed to be with adding post to your database, and in this case you shouldn't have too much trouble modifying your code to prevent the spamming of records in the database. Your server could still be spammed but it'll be up to your PHP code to decide if it should ignore the request or write it to the database (based on suggestions mentioned in this topic). Good luck (but I don't think it'll be too much of a problem).
    "Given billions of tries, could a spilled bottle of ink ever fall into the words of Shakespeare?"

  6. #6
    Join Date
    Mar 2012
    NogDog I did not know that this things could be handled at the firewall level. I think this is a very good solution.

    Thank you very much to all of you!!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.10051 seconds
  • Memory Usage 2,892KB
  • Queries Executed 15 (?)
More Information
Template Usage (32):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (6)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (70):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates