通过$ _SESSION防止大量表单提交

时间:2022-11-24 09:22:12

If I'm getting bombed by a .NET program created in C# - bombed as in the user is submitting the $_POST fields on my form in mass quantities... It's specifically my contact form.

如果我被C#中创建的.NET程序轰炸 - 被轰炸,因为用户正在大量提交我的表单上的$ _POST字段......这是我的联系表单。

I'm not sure how exactly the mass $_POST occurs in the .NET program or it even could be a c++ program, I have no idea. However I had an idea to counter this.

我不确定.NET程序中质量$ _POST究竟是如何发生的,或者它甚至可能是一个c ++程序,我不知道。但是我有一个想法来反击这个。

My first idea requires $_SESSION but... Would those $_POST bombing program(s) the user created handle/accept a $_SESSION? I really don't want to find out but maybe someone with experience with the WebClient class in C# would know if it handled $_SESSION'S or whatever it is the user is using. I was considering using $_SESSION['submitted'] = $count; and another part of $count++;

我的第一个想法需要$ _SESSION但是...用户创建的那些$ _POST轰炸程序是否处理/接受$ _SESSION?我真的不想知道,但也许有C#中WebClient类经验的人会知道它是否处理$ _SESSION'或者用户使用的是什么。我在考虑使用$ _SESSION ['submitted'] = $ count; $ count ++的另一部分;

if($_SESSION['submitted'] > 5) {
    //display captcha or block from site
} else {
    $count++;
}

If the user's program didn't handle a $_SESSION is there anyway possible I can disable the site to them? So they can't attack my contact form?

如果用户的程序没有处理$ _SESSION,那么有可能我可以禁用它们的网站吗?所以他们不能攻击我的联系表格?

4 个解决方案

#1


2  

Bypassing the session lockout is trivial for a malicious user. Just delete the session cookie after each POST and they get a brand new clean session with the limit reset.

绕过会话锁定对于恶意用户来说是微不足道的。只需在每次POST后删除会话cookie,他们就会获得一个带有限制重置的全新清洁会话。

The only secure way to block a user such as this is to start throttling their IP address. Limit it to a certain number of connection attempts per minute and they won't be able to submit than that many requests per minute. Now, if they can hop between hosts then you've got a bigger problem, and should probably look at moving your form elsewhere so all they get is a 404 (until they notice it's moved).

阻止用户的唯一安全方法是开始限制其IP地址。将其限制为每分钟一定数量的连接尝试,并且它们将无法提交每分钟多次请求。现在,如果他们可以在主机之间跳转那么你就会遇到更大的问题,并且应该考虑将你的表单移到其他地方,这样他们得到的只是404(直到他们注意到它被移动)。

The downside is if they're using a common proxy or somethign like AOL which proxies EVERYTHING, you'd be blocking other legitimate users as well.

不利的一面是,如果他们使用的是通用代理或者代理一切代理的AOL,那么你也会阻止其他合法用户。

#2


0  

Well you can put some security barriers like a login form or some other form of authentication (like browser check or the like)

那么你可以设置一些安全障碍,如登录表单或其他形式的身份验证(如浏览器检查等)

Aside from that the only think i can think of is to block the incoming IP, which then again might not be a good idea

除此之外,我能想到的唯一想法就是阻止传入的IP,这可能也不是一个好主意

#3


0  

Someone can correct me if I'm wrong, but SESSION stores a cookie (or some other way) with the session id (a very long hash string), The SESSION variables are stored on the server. So even if they handled SESSIONs they would have no control over the server stored SESSION variables.

如果我错了,有人可以纠正我,但是SESSION使用会话ID(一个非常长的哈希字符串)存储cookie(或其他方式),SESSION变量存储在服务器上。因此,即使他们处理了SESSION,他们也无法控制服务器存储的SESSION变量。

If I were you, I'd set CAPTCHA to always be on...

如果我是你,我会把CAPTCHA设置为永远...

#4


0  

What about just implementing the CAPTCHA?

刚刚实施CAPTCHA怎么样?

#1


2  

Bypassing the session lockout is trivial for a malicious user. Just delete the session cookie after each POST and they get a brand new clean session with the limit reset.

绕过会话锁定对于恶意用户来说是微不足道的。只需在每次POST后删除会话cookie,他们就会获得一个带有限制重置的全新清洁会话。

The only secure way to block a user such as this is to start throttling their IP address. Limit it to a certain number of connection attempts per minute and they won't be able to submit than that many requests per minute. Now, if they can hop between hosts then you've got a bigger problem, and should probably look at moving your form elsewhere so all they get is a 404 (until they notice it's moved).

阻止用户的唯一安全方法是开始限制其IP地址。将其限制为每分钟一定数量的连接尝试,并且它们将无法提交每分钟多次请求。现在,如果他们可以在主机之间跳转那么你就会遇到更大的问题,并且应该考虑将你的表单移到其他地方,这样他们得到的只是404(直到他们注意到它被移动)。

The downside is if they're using a common proxy or somethign like AOL which proxies EVERYTHING, you'd be blocking other legitimate users as well.

不利的一面是,如果他们使用的是通用代理或者代理一切代理的AOL,那么你也会阻止其他合法用户。

#2


0  

Well you can put some security barriers like a login form or some other form of authentication (like browser check or the like)

那么你可以设置一些安全障碍,如登录表单或其他形式的身份验证(如浏览器检查等)

Aside from that the only think i can think of is to block the incoming IP, which then again might not be a good idea

除此之外,我能想到的唯一想法就是阻止传入的IP,这可能也不是一个好主意

#3


0  

Someone can correct me if I'm wrong, but SESSION stores a cookie (or some other way) with the session id (a very long hash string), The SESSION variables are stored on the server. So even if they handled SESSIONs they would have no control over the server stored SESSION variables.

如果我错了,有人可以纠正我,但是SESSION使用会话ID(一个非常长的哈希字符串)存储cookie(或其他方式),SESSION变量存储在服务器上。因此,即使他们处理了SESSION,他们也无法控制服务器存储的SESSION变量。

If I were you, I'd set CAPTCHA to always be on...

如果我是你,我会把CAPTCHA设置为永远...

#4


0  

What about just implementing the CAPTCHA?

刚刚实施CAPTCHA怎么样?