PDA

View Full Version : prevent DOS attack of submiting ajax forms



dolittle
24 Aug 2009, 4:14 AM
Hi,

Web frameworks sometime attach a unique id to forms to prevent automatic submitting of forms that might flood the server and db. When the user load the html page the server attach the unique form id to it and when the user submit the form it checks if the id is valid.

Is it possible to use a similar approach in an ajax application?
For example, a todo list app have several forms that are being sent using ajax.
The user might send the same form several times without reloading the page so the server
don't get a chance to attach a unique id to the form.
In addition, there might be a case where the user submit a second form before the second one is being fully processed so we can rely on refreshing the from id with the ajax response.

I'll appreciate thoughts on this issue.

Thanks

24 Aug 2009, 4:51 AM
Hi,

Web frameworks sometime attach a unique id to forms to prevent automatic submitting of forms that might flood the server and db. When the user load the html page the server attach the unique form id to it and when the user submit the form it checks if the id is valid.

Is it possible to use a similar approach in an ajax application?
For example, a todo list app have several forms that are being sent using ajax.
The user might send the same form several times without reloading the page so the server
don't get a chance to attach a unique id to the form.
In addition, there might be a case where the user submit a second form before the second one is being fully processed so we can rely on refreshing the from id with the ajax response.

I'll appreciate thoughts on this issue.

Thanks

In either paradigm, i see the work around (for a hacker) is to use a tool like wget to pull a unique ID and perform a submit, etc. I believe this is more of an 'open discussion' topic than an Ext JS specific problem.

24 Aug 2009, 4:52 AM
Btw, the crux (unless i'm wrong) of your question is relating to web security. Have you looked at online security forums to learn from?