HTML 表单身份验证以防止垃圾邮件/POST 攻击
我想知道是否有一个好的解决方案来防止自动表单提交/POST 攻击。
是否可以添加一个带有令牌生成的服务器端的表单字段,该字段对于网站上显示的每个表单都是唯一的,但有一种方法可以检查该令牌是否确实是由我的应用程序而不是用户生成的,而无需将所有令牌保存到数据库中?
IMO 如果应用程序可以知道数据来自应用程序生成的表单(这意味着它使用了只有应用程序知道的逻辑),那么它将继续处理表单。
对于这样的算法有什么建议吗?
编辑:换句话说,我可以生成一个字符串吗:
1)当我收到回复时,我可以识别出我生成的字符串,
2)知道它只使用过一次,
3)需要用户太多次尝试在客户端生成此类字符串,
4) 该字符串不必由应用程序保留
I am wondering if there's a good solution for preventing automated form submissions / POST attacks.
Would it be possible to add a form field with a token generated server side that would be unique for each form displayed on the site, but with a way to check if this token was indeed generated by my app and not by user, without having to save all tokens to a database?
IMO if app can know that data comes from a form generated by the app (meaning that it used logic only known to the app), than it would go on to process form.
Any suggesting for such an algorithm?
EDIT: In other words, can I generate a string that:
1) when I receive back, I can recognize as string that I generated,
2) know that it's been used only once,
3) would take user too many attempts to generate such string on the client side,
4) this string does not have to be persisted by the application
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可能会对 Hashcash 感兴趣。我试图通过对某些评论进行多次投票来在博客上作弊,但当我发现这种方法对于人类生成该值来说有点复杂时,我放弃了。
You'll probably be interested in Hashcash. I tried to cheat on a blog by multiple voting some comment, but I gave up when I saw that this method is a bit complicated for humans to generate that values.