Let’s suppose that you have a website that contains a single button.
When this button is pushed, an ajax request is sent to the server – who receives the request and adds 1 in an internal counter on its database.
An user could copy the entire request (and its headers) and create a script to send infinite requests to overload the server (and mess with the counter).
I’m trying to avoid:
- Recording the user IP
- Using Captcha
I’m using php in my back-end. Is there any way to prevent this situation? Is there some way to send an “invisible” request?
Your problem is called “cross site request forgery”.
A good way to solve this problem is to generate a random string when the page with the button on it is called, write it into the users session and into the generated page, and send it together with your button press (for example in a GET request).
On the backend side you check if the submitted string matches with the string in the users session and then delete the string from the session. Only proceed if both strings matched and weren’t empty.
This way every request URL is only valid one time and only valid for the user who initially opened the page with the button on it.