Home/ Questions/Q 3803418
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T14:21:36+00:00

We currently host a lengthy form on our ASP.NET website, which makes use of

  • 0

We currently host a lengthy form on our ASP.NET website, which makes use of a public facing facade WCF service to submit information over SSL into our network through a number of other facade services, etc.

We’ve experienced some issues with downtime on the service chain, and because of this some users have been very frustrated that they complete the lengthy form, only to find out after the fact that the service isn’t up. Because of this, we are implementing a type of ping functionality on the form that will ping the service before the form is started, to ensure the service is up.

If the Ping() method is simply called during OnLoad of the form web page, there is potential for DOS attacks through for example a script that continually makes HTTP GET requests against the page.

My question is – From a conceptual level, what is the best way to ensure human interaction with the page while keeping it useable. For example, a CAPTCHA before the Ping() is called and form is started is way too intrusive even though it would be effective at ensuring the form is used properly. On the other hand simply allowing Ping() to fire OnLoad is far too risky for attacks.

One option I’ve considered is to have a button available to users which allows them to verify service availability and enable the form in one shot. This would at least be a balance between the two. I’m asking for your input on ideas for how best to balance this approach. Any asp.net, c#, or javascript/ajax based answers are fine.

Lastly – I also know there are flaws to this approach of checking service availability as there is no guarantee the service will be available by the time the form is filled out – but the decision has been made to use this approach so please keep your answers on point.

Thanks for the help and input in advance!

UPDATE 1:

In response to Josh’s answer below – I should clarify that the form data submitted is sensitive and cannot be cached on the server or stored locally for later submission if the service fails. This is why it is very important to give the user a preemptive heads up. The issues we’ve had with the services are not intermittent so if the Ping() comes back true, there is an extremely good chance the user will not experience issues submitting the form a few minutes later.

UPDATE 2:

  • The Ping() Method is currently a server-side c# method, not javascript.
  • The public facing WCF service is IP-restricted to only allow requests from the public web server
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Why don’t you just call Ping() when the submit button is pressed and if the service doesn’t respond then don’t submit the form and show an error.

    Something like this in jQuery. This assumses that Ping() returns true if the service is up, false otherwise:

    $('#myformid').submit(function() {
  var svcUp = Ping();

  if(!svcUp)
      alert("Sorry, there was an error submitting, please try again.");

  return svcUp;
});

    Unfortunately any public facing web service that has a low calling cost but high processing cost will be vulnerable to DOS attacks without some type of throttling.

    Thankfully WCF has some useful settings for controlling throttling, take a look at MaxConcurrentCalls, MaxConcurrentInstances, and MaxConcurrentSessions

    • 0