how to prevent remote form posting in ajax?
https://stackoverflow.com/questions/7247802
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How can I limit my php file that I use in ajaxRequest.open to be accessed through specific pages?
I want to use something like sessions to prevent remote form posting becuase many guessed passwords for a username can be checked through this way.
I know checking referrer is not a secure idea. Is auto blocking based on IP a secure one?
Is it a good idea to check if it is posted through Ajax and if not deny it because no one can remote post through Ajax? Is it really secure?
thanks in advance
Solution
You are mixing things up. AJAX relies on the HTTP protocol (eg: POST, GET) to work. So using AJAX will not stop people from forging queries. There is a header called HTTP_X_REQUESTED_WITH, but like anything coming from the client, it should not be trusted.
The concern about remote AJAX posting is related more to an exploit known as Cross-site remote forgery, or CSRF. One way to prevent this is by using CSRF tokens (read the wiki page). The problem you (seem to be) describing is something else.
When dealing with logins, I like to implement different failure thresholds:
If you are trying to login to an account and fail X times, you will be greeted with a CAPTCHA. This will prevent people from using bots to brute force a password, without inconveniencing (too much) legitimate users.
If you fail X+Y times, the account will be locked for a Z amount of time.
If it looks like a lot of failed logins are coming from your IP, it will be blocked.
