473,322 Members | 1,345 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Page load frequency

Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Dec 13 '06 #1
11 2261
frizzle wrote:
Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!
Hi,

You have to implement some kind of countingmechanism when the page starts.
You can store the timestamp (now) in a database once the page runs, and
check if it has been accessed more than X times last Y seconds.
Just build it. :-)

Of course this check will slow down each request to the page a little, but
if the load of running the whole page is much higher, this may be worth the
time.

Regards,
Erwin Moller
Dec 13 '06 #2

Erwin Moller wrote:
frizzle wrote:
Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Hi,

You have to implement some kind of countingmechanism when the page starts.
You can store the timestamp (now) in a database once the page runs, and
check if it has been accessed more than X times last Y seconds.
Just build it. :-)

Of course this check will slow down each request to the page a little, but
if the load of running the whole page is much higher, this may be worth the
time.

Regards,
Erwin Moller
Would this be a good thing to do with sessions ?

Dec 13 '06 #3

frizzle wrote:
Erwin Moller wrote:
frizzle wrote:
Hi there,
>
I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...
>
This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.
>
I hope it's clear. I don't know where to start ..
>
Thanks!
Hi,

You have to implement some kind of countingmechanism when the page starts.
You can store the timestamp (now) in a database once the page runs, and
check if it has been accessed more than X times last Y seconds.
Just build it. :-)

Of course this check will slow down each request to the page a little, but
if the load of running the whole page is much higher, this may be worth the
time.

Regards,
Erwin Moller

Would this be a good thing to do with sessions ?
Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!

Dec 13 '06 #4
I know that the abyss web server has DOS attack protection settings. I
am not that familiar with Apache or IIS, but I guess you could instruct
your web server to deal with this.

Best regards

frizzle wrote:
Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!
Dec 13 '06 #5
frizzle wrote:
>
frizzle wrote:
>Erwin Moller wrote:
frizzle wrote:

Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Hi,

You have to implement some kind of countingmechanism when the page
starts. You can store the timestamp (now) in a database once the page
runs, and check if it has been accessed more than X times last Y
seconds. Just build it. :-)

Of course this check will slow down each request to the page a little,
but if the load of running the whole page is much higher, this may be
worth the time.

Regards,
Erwin Moller

Would this be a good thing to do with sessions ?

Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!
Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against all
users.
If you want to protect against a single user loading the page too much, you
should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along a
sessionid with each request and response. The sessionid is stored in the
URL or cookie.
Both can easily be manipulated by the visitor, so this will not really work.

It would make more sense to use the remote IP-address to maximize the number
of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.
Hope this helps.

Regards,
Erwin Moller
Dec 14 '06 #6
Erwin Moller wrote:
frizzle wrote:
>>
frizzle wrote:
>>Erwin Moller wrote:
frizzle wrote:

Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Hi,

You have to implement some kind of countingmechanism when the page
starts. You can store the timestamp (now) in a database once the page
runs, and check if it has been accessed more than X times last Y
seconds. Just build it. :-)

Of course this check will slow down each request to the page a little,
but if the load of running the whole page is much higher, this may be
worth the time.

Regards,
Erwin Moller

Would this be a good thing to do with sessions ?

Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!

Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against all
users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along a
sessionid with each request and response. The sessionid is stored in the
URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.

It would make more sense to use the remote IP-address to maximize the
number of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.
Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller
Dec 14 '06 #7

Erwin Moller schreef:
Erwin Moller wrote:
frizzle wrote:
>
frizzle wrote:
Erwin Moller wrote:
frizzle wrote:

Hi there,

I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Hi,

You have to implement some kind of countingmechanism when the page
starts. You can store the timestamp (now) in a database once the page
runs, and check if it has been accessed more than X times last Y
seconds. Just build it. :-)

Of course this check will slow down each request to the page a little,
but if the load of running the whole page is much higher, this may be
worth the time.

Regards,
Erwin Moller

Would this be a good thing to do with sessions ?

Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!
Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against all
users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along a
sessionid with each request and response. The sessionid is stored in the
URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.

It would make more sense to use the remote IP-address to maximize the
number of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.

Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller
Hmm, this kind of overlaps my other issue:
Login in users. I know there are a lot of topics out there, but none of
them seem to hive a real answer:

I was told using IP (also with pageloads) isn't safe as some ISP's
change IP addresses. Are sessions really that unsafe? I thought they
could only be manipulated if you have access to the server ...
Thanks for explaining.

Dec 16 '06 #8
frizzle wrote:
>
Erwin Moller schreef:
>Erwin Moller wrote:
frizzle wrote:
frizzle wrote:
Erwin Moller wrote:
frizzle wrote:

Hi there,

I need a function to prevent a page from being loaded too often
too fast.
So say, one is only allowed to refresh a single page 5 times in
10 seconds, or 10 times in 5 seconds (or whatever ... ).
If the load frequency exceeds that, the site calls exit(); And a
message is displayed. Just like Expression Engine does ...

This way i want to protect the DB from being queried rediculously
often, and maybe even protect it from DDOS attacks.

I hope it's clear. I don't know where to start ..

Thanks!

Hi,

You have to implement some kind of countingmechanism when the page
starts. You can store the timestamp (now) in a database once the
page runs, and check if it has been accessed more than X times last
Y seconds. Just build it. :-)

Of course this check will slow down each request to the page a
little, but if the load of running the whole page is much higher,
this may be worth the time.

Regards,
Erwin Moller

Would this be a good thing to do with sessions ?

Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!

Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against
all users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along
a sessionid with each request and response. The sessionid is stored in
the URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.

It would make more sense to use the remote IP-address to maximize the
number of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.

Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller

Hmm, this kind of overlaps my other issue:
Login in users. I know there are a lot of topics out there, but none of
them seem to hive a real answer:

I was told using IP (also with pageloads) isn't safe as some ISP's
change IP addresses.
True.
I heard AOL does that.
But you wouldn't be the first to ignore them. ;-)

And in your case it doesn't matter. If nyou protect your pages based on
remote IP, the fact that these user change IP adresses will not block them.

But I think you have little choice. Since 'protecting' your pages via
Sessions can easily circumvented as I described in my other posting.

Are sessions really that unsafe? I thought they
could only be manipulated if you have access to the server ...
Many tricks exist to breach sessions.
I wouldn't say 'session are unsafe' but a little knowledge on their workings
won't hurt to protect yourself.

A few possible problems with sessions:
- session hijacking. Somebody taps in on the internettraffic and sees your
sessionid and use it (while it is still active = not timed out) to gain
access to the server like the real user does.
(This can be blocked by storing the IP number in the session and when it
changes, refuse the request.)
Hijacking can also be blocked if you use safe transport via https/ssl.

- Same server / another user on that server has access to the directory
where the sessions are stored. (Talk with your ISP, or check yourself: can
you see the content of the sessiondirectory? Can you open a random
sessionfile, not belonging to your site, in there?)

- Session fixation
A link is provided on: http://nl3.php.net/manual/en/ref.session.php

I think I would use IP-block scheme in your case, not sessions, since a new
session can easily be started on each request.

Regards,
Erwin Moller
>

Thanks for explaining.
Dec 18 '06 #9
Erwin Moller wrote:
frizzle wrote:

>>Erwin Moller schreef:

>>>Erwin Moller wrote:
frizzle wrote:
>frizzle wrote:
>
>>Erwin Moller wrote:
>>
>>>frizzle wrote:
>>>
>>>
>>>>Hi there,
>>>>
>>>>I need a function to prevent a page from being loaded too often
>>>>too fast.
>>>>So say, one is only allowed to refresh a single page 5 times in
>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>>If the load frequency exceeds that, the site calls exit(); And a
>>>>message is displayed. Just like Expression Engine does ...
>>>>
>>>>This way i want to protect the DB from being queried rediculously
>>>>often, and maybe even protect it from DDOS attacks.
>>>>
>>>>I hope it's clear. I don't know where to start ..
>>>>
>>>>Thanks!
>>>
>>>Hi,
>>>
>>>You have to implement some kind of countingmechanism when the page
>>>starts. You can store the timestamp (now) in a database once the
>>>page runs, and check if it has been accessed more than X times last
>>>Y seconds. Just build it. :-)
>>>
>>>Of course this check will slow down each request to the page a
>>>little, but if the load of running the whole page is much higher,
>>>this may be worth the time.
>>>
>>>Regards,
>>>Erwin Moller
>>
>>Would this be a good thing to do with sessions ?
>
>Not to be stupid here, but i don't completely get one thing:
>
>Say one can load 5 times in 5 seconds;
>
>If someone loads the page at second 1, and then reloads three times
>between second 3 and five, this would be 4 loads in 5 seconds. But if
>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>then) 5 seconds, though AFAIK your idea would have "approved" this.
>
>How could i fix this?
>
>Thanks!

Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against
all users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along
a sessionid with each request and response. The sessionid is stored in
the URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.

It would make more sense to use the remote IP-address to maximize the
number of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.

Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller

Hmm, this kind of overlaps my other issue:
Login in users. I know there are a lot of topics out there, but none of
them seem to hive a real answer:

I was told using IP (also with pageloads) isn't safe as some ISP's
change IP addresses.


True.
I heard AOL does that.
But you wouldn't be the first to ignore them. ;-)

And in your case it doesn't matter. If nyou protect your pages based on
remote IP, the fact that these user change IP adresses will not block them.

But I think you have little choice. Since 'protecting' your pages via
Sessions can easily circumvented as I described in my other posting.

Are sessions really that unsafe? I thought they
>>could only be manipulated if you have access to the server ...


Many tricks exist to breach sessions.
I wouldn't say 'session are unsafe' but a little knowledge on their workings
won't hurt to protect yourself.

A few possible problems with sessions:
- session hijacking. Somebody taps in on the internettraffic and sees your
sessionid and use it (while it is still active = not timed out) to gain
access to the server like the real user does.
(This can be blocked by storing the IP number in the session and when it
changes, refuse the request.)
Hijacking can also be blocked if you use safe transport via https/ssl.
Not reliably. Many companies have proxies, where everyone in the
company would have the same IP address. And, as frizzle indicated, some
companies use multiple proxies - where the same user could get a
different IP address with every request.

Saving the IP in the session is not a safe way of doing it. If your
session is sensitive, use a secure connection (https).
- Same server / another user on that server has access to the directory
where the sessions are stored. (Talk with your ISP, or check yourself: can
you see the content of the sessiondirectory? Can you open a random
sessionfile, not belonging to your site, in there?)
Very true.
- Session fixation
A link is provided on: http://nl3.php.net/manual/en/ref.session.php

I think I would use IP-block scheme in your case, not sessions, since a new
session can easily be started on each request.
I agree. It's not foolproof, but it's about the best you'll do.

But I'll also add that many DOS attacks come from hackers with hundreds
of thousands of hijacked machines available to them. Even blocking by
IP won't necessarily be very effective.
Regards,
Erwin Moller

>>
Thanks for explaining.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Dec 18 '06 #10

Jerry Stuckle wrote:
Erwin Moller wrote:
frizzle wrote:

>Erwin Moller schreef:
Erwin Moller wrote:
frizzle wrote:
frizzle wrote:

>Erwin Moller wrote:
>
>>frizzle wrote:
>>
>>
>>>Hi there,
>>>
>>>I need a function to prevent a page from being loaded too often
>>>too fast.
>>>So say, one is only allowed to refresh a single page 5 times in
>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>If the load frequency exceeds that, the site calls exit(); And a
>>>message is displayed. Just like Expression Engine does ...
>>>
>>>This way i want to protect the DB from being queried rediculously
>>>often, and maybe even protect it from DDOS attacks.
>>>
>>>I hope it's clear. I don't know where to start ..
>>>
>>>Thanks!
>>
>>Hi,
>>
>>You have to implement some kind of countingmechanism when the page
>>starts. You can store the timestamp (now) in a database once the
>>page runs, and check if it has been accessed more than X times last
>>Y seconds. Just build it. :-)
>>
>>Of course this check will slow down each request to the page a
>>little, but if the load of running the whole page is much higher,
>>this may be worth the time.
>>
>>Regards,
>>Erwin Moller
>
>Would this be a good thing to do with sessions ?

Not to be stupid here, but i don't completely get one thing:

Say one can load 5 times in 5 seconds;

If someone loads the page at second 1, and then reloads three times
between second 3 and five, this would be 4 loads in 5 seconds. But if
then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
then) 5 seconds, though AFAIK your idea would have "approved" this.

How could i fix this?

Thanks!

Hi,

first question: Session.
I was unsure if you wanted to protect against a single user or against
all users.
If you want to protect against a single user loading the page too much,
you should use session, BUT if that visitor wants to circumvent your
sessionlogic, it is easy.
Here is why: If you want to use a session with a visitor you send along
a sessionid with each request and response. The sessionid is stored in
the URL or cookie.
Both can easily be manipulated by the visitor, so this will not really
work.

It would make more sense to use the remote IP-address to maximize the
number of requests to your page.

Second querstion: How to implement the quota X times per Y secs?

just a rouch idea based on IP:
create a table like this:
CREATE TABLE tblrequest(
IPnum text,
lastrequest datetime
)

Now above your script do this:
1) Get the remote IP
Use remoteadress, read more here:
http://nl3.php.net/manual/en/function.getenv.php

2) delete from tblrequest ALL requests older than (now - Y secs)

3) check if this IP has already exceeded the quota:
Something like:
SELECT COUNT(IPnum) FROM tblrequest
WHERE (IPnum = '<IPnum found in step1>');

if the count exceeds X, exit, otherwise continue with the rest of the
script.

Oops forgot to mention the obvious:
of course insert it in the table. :-)

INSERT INTO tblrequest (IPnum,lastrequest)
VALUES ('<IPnum found in step1>','now');

Regards,
Erwin Moller

Hmm, this kind of overlaps my other issue:
Login in users. I know there are a lot of topics out there, but none of
them seem to hive a real answer:

I was told using IP (also with pageloads) isn't safe as some ISP's
change IP addresses.

True.
I heard AOL does that.
But you wouldn't be the first to ignore them. ;-)

And in your case it doesn't matter. If nyou protect your pages based on
remote IP, the fact that these user change IP adresses will not block them.

But I think you have little choice. Since 'protecting' your pages via
Sessions can easily circumvented as I described in my other posting.

Are sessions really that unsafe? I thought they
>could only be manipulated if you have access to the server ...

Many tricks exist to breach sessions.
I wouldn't say 'session are unsafe' but a little knowledge on their workings
won't hurt to protect yourself.

A few possible problems with sessions:
- session hijacking. Somebody taps in on the internettraffic and sees your
sessionid and use it (while it is still active = not timed out) to gain
access to the server like the real user does.
(This can be blocked by storing the IP number in the session and when it
changes, refuse the request.)
Hijacking can also be blocked if you use safe transport via https/ssl.

Not reliably. Many companies have proxies, where everyone in the
company would have the same IP address. And, as frizzle indicated, some
companies use multiple proxies - where the same user could get a
different IP address with every request.

Saving the IP in the session is not a safe way of doing it. If your
session is sensitive, use a secure connection (https).
- Same server / another user on that server has access to the directory
where the sessions are stored. (Talk with your ISP, or check yourself: can
you see the content of the sessiondirectory? Can you open a random
sessionfile, not belonging to your site, in there?)

Very true.
- Session fixation
A link is provided on: http://nl3.php.net/manual/en/ref.session.php

I think I would use IP-block scheme in your case, not sessions, since a new
session can easily be started on each request.

I agree. It's not foolproof, but it's about the best you'll do.

But I'll also add that many DOS attacks come from hackers with hundreds
of thousands of hijacked machines available to them. Even blocking by
IP won't necessarily be very effective.
Regards,
Erwin Moller

>
Thanks for explaining.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Thank you both for helping. I believe i learned something now about
fixation, but i still don't understand how to do it now.
Are there any tutorials with code examples based on what you think is
good out there?

Thanks for helping.

Frizzle.

Dec 20 '06 #11
I may be mistaken, but couldn't you use session_regenerate_id
(http://php.net/session_regenerate_id) so that you don't have to worry
about the user contaminating the session ID?

The 17 August 2006 user note warns that PHP 4.3.2 won't resend an
updated session cookie, and provides a workaround.

Curtis

On Dec 20, 1:01 am, "frizzle" <phpfriz...@gmail.comwrote:
Jerry Stuckle wrote:
Erwin Moller wrote:
frizzle wrote:
>>Erwin Moller schreef:
>>>Erwin Moller wrote:
>>>>frizzle wrote:
>>>>>frizzle wrote:
>>>>>>Erwin Moller wrote:
>>>>>>>frizzle wrote:
>>>>>>>>Hi there,
>>>>>>>>I need a function to prevent a page from being loaded too often
>>>>>>>>too fast.
>>>>>>>>So say, one is only allowed to refresh a single page 5 times in
>>>>>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
>>>>>>>>If the load frequency exceeds that, the site calls exit(); And a
>>>>>>>>message is displayed. Just like Expression Engine does ...
>>>>>>>>This way i want to protect the DB from being queried rediculously
>>>>>>>>often, and maybe even protect it from DDOS attacks.
>>>>>>>>I hope it's clear. I don't know where to start ..
>>>>>>>>Thanks!
>>>>>>>Hi,
>>>>>>>You have to implement some kind of countingmechanism when the page
>>>>>>>starts. You can store the timestamp (now) in a database once the
>>>>>>>page runs, and check if it has been accessed more than X times last
>>>>>>>Y seconds. Just build it. :-)
>>>>>>>Of course this check will slow down each request to the page a
>>>>>>>little, but if the load of running the whole page is much higher,
>>>>>>>this may be worth the time.
>>>>>>>Regards,
>>>>>>>Erwin Moller
>>>>>>Would this be a good thing to do with sessions ?
>>>>>Not to be stupid here, but i don't completely get one thing:
>>>>>Say one can load 5 times in 5 seconds;
>>>>>If someone loads the page at second 1, and then reloads three times
>>>>>between second 3 and five, this would be 4 loads in 5 seconds. But if
>>>>>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
>>>>>then) 5 seconds, though AFAIK your idea would have "approved" this.
>>>>>How could i fix this?
>>>>>Thanks!
>>>>Hi,
>>>>first question: Session.
>>>>I was unsure if you wanted to protect against a single user or against
>>>>all users.
>>>>If you want to protect against a single user loading the page too much,
>>>>you should use session, BUT if that visitor wants to circumvent your
>>>>sessionlogic, it is easy.
>>>>Here is why: If you want to use a session with a visitor you send along
>>>>a sessionid with each request and response. The sessionid is stored in
>>>>the URL or cookie.
>>>>Both can easily be manipulated by the visitor, so this will not really
>>>>work.
>>>>It would make more sense to use the remote IP-address to maximize the
>>>>number of requests to your page.
>>>>Second querstion: How to implement the quota X times per Y secs?
>>>>just a rouch idea based on IP:
>>>>create a table like this:
>>>>CREATE TABLE tblrequest(
>>>IPnum text,
>>>lastrequest datetime
>>>>)
>>>>Now above your script do this:
>>>>1) Get the remote IP
>>>>Use remoteadress, read more here:
>>>>http://nl3.php.net/manual/en/function.getenv.php
>>>>2) delete from tblrequest ALL requests older than (now - Y secs)
>>>>3) check if this IP has already exceeded the quota:
>>>>Something like:
>>>>SELECT COUNT(IPnum) FROM tblrequest
>>> WHERE (IPnum = '<IPnum found in step1>');
>>>>if the count exceeds X, exit, otherwise continue with the rest of the
>>>>script.
>>>Oops forgot to mention the obvious:
>>>of course insert it in the table. :-)
>>>INSERT INTO tblrequest (IPnum,lastrequest)
>> VALUES ('<IPnum found in step1>','now');
>>>Regards,
>>>Erwin Moller
>>Hmm, this kind of overlaps my other issue:
>>Login in users. I know there are a lot of topics out there, but none of
>>them seem to hive a real answer:
>>I was told using IP (also with pageloads) isn't safe as some ISP's
>>change IP addresses.
True.
I heard AOL does that.
But you wouldn't be the first to ignore them. ;-)
And in your case it doesn't matter. If nyou protect your pages based on
remote IP, the fact that these user change IP adresses will not block them.
But I think you have little choice. Since 'protecting' your pages via
Sessions can easily circumvented as I described in my other posting.
Are sessions really that unsafe? I thought they
>>could only be manipulated if you have access to the server ...
Many tricks exist to breach sessions.
I wouldn't say 'session are unsafe' but a little knowledge on their workings
won't hurt to protect yourself.
A few possible problems with sessions:
- session hijacking. Somebody taps in on the internettraffic and sees your
sessionid and use it (while it is still active = not timed out) to gain
access to the server like the real user does.
(This can be blocked by storing the IP number in the session and when it
changes, refuse the request.)
Hijacking can also be blocked if you use safe transport via https/ssl.
Not reliably. Many companies have proxies, where everyone in the
company would have the same IP address. And, as frizzle indicated, some
companies use multiple proxies - where the same user could get a
different IP address with every request.
Saving the IP in the session is not a safe way of doing it. If your
session is sensitive, use a secure connection (https).
- Same server / another user on that server has access to the directory
where the sessions are stored. (Talk with your ISP, or check yourself: can
you see the content of the sessiondirectory? Can you open a random
sessionfile, not belonging to your site, in there?)
Very true.
- Session fixation
A link is provided on:http://nl3.php.net/manual/en/ref.session.php
I think I would use IP-block scheme in your case, not sessions, since a new
session can easily be started on each request.
I agree. It's not foolproof, but it's about the best you'll do.
But I'll also add that many DOS attacks come from hackers with hundreds
of thousands of hijacked machines available to them. Even blocking by
IP won't necessarily be very effective.
Regards,
Erwin Moller
>>Thanks for explaining.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================Thank you both for helping. I believe i learned something now about
fixation, but i still don't understand how to do it now.
Are there any tutorials with code examples based on what you think is
good out there?

Thanks for helping.

Frizzle.
Dec 21 '06 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Kevin P | last post by:
Hi News Group, In an application written in C# and VS.Net using Dotnet Framework 1.1.4322 on XP and Win 2000 machines, we randomly get the error "Failed to load resources from resource file....
9
by: christopher diggins | last post by:
I would like to survey how widespread the usage of smart pointers in C++ code is today. Any anecdotal experience about the frequency of usage of smart pointer for dynamic allocation in your own...
11
by: NC Tim | last post by:
Hello, I think the question i have is fairly straightforward, but I can't seem to replicate the old SAS frequency procedure when I try to accomplish this in MS Access. anyway, i have about 10...
1
by: Matt Swift | last post by:
I have a question regarding the way that we can load page components seperately, so that a user sees various parts of a site load as the data comes back, but the whole site in general is already...
6
by: Matt | last post by:
I have an ASP.Net page that receives batch transmissions of data from clients. I would like to add some type of logging to this application so I can review transmission issues easily. I tried...
19
by: jason_box | last post by:
I'm alittle new at C and I'm trying to write a simple program that will record the frequency of words and just print it out. It is suppose to take stdin and I heard it's only a few lines but I'm...
7
by: Udhay | last post by:
How to get the frequency of an audio file and how to separate the low and high frequency of an audio file
8
by: Andrew Savige | last post by:
I'm learning Python by reading David Beazley's "Python Essential Reference" book and writing a few toy programs. To get a feel for hashes and sorting, I set myself this little problem today (not...
13
by: umpsumps | last post by:
Hello, Here is my code for a letter frequency counter. It seems bloated to me and any suggestions of what would be a better way (keep in my mind I'm a beginner) would be greatly appreciated.. ...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.