Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How can I limit my php file that I use in ajaxRequest.open to be accessed through specific pages?
I want to use something like sessions to prevent remote form posting becuase many guessed passwords for a username can be checked through this way.
I know checking referrer is not a secure idea.
Is auto blocking based on IP a secure one?
Is it a good idea to check if it is posted through Ajax and if not deny it because no one can remote post through Ajax? Is it really secure?
thanks in advance
You are mixing things up. AJAX relies on the HTTP protocol (eg:
POST,GET) to work. So using AJAX will not stop people from forging queries. There is a header calledHTTP_X_REQUESTED_WITH, but like anything coming from the client, it should not be trusted.The concern about remote AJAX posting is related more to an exploit known as Cross-site remote forgery, or CSRF. One way to prevent this is by using CSRF tokens (read the wiki page). The problem you (seem to be) describing is something else.
When dealing with logins, I like to implement different failure thresholds:
If you are trying to login to an account and fail X times, you will be greeted with a CAPTCHA. This will prevent people from using bots to brute force a password, without inconveniencing (too much) legitimate users.
If you fail X+Y times, the account will be locked for a Z amount of time.
If it looks like a lot of failed logins are coming from your IP, it will be blocked.