xmlhttprequest and data protection

Hi,

I am trying to create web page that, after loaded, will dynamically
request for data when user interacts with it.

After some research I plan to use javascript and XmlHttpRequest to get
this data and add it to already rendered document.

One very good example of similar application is here:
http://genshi.edgewall.org/wiki/GenshiTutorial#AjaxifiedCommenting

If I do it this way, then can someone send thousands of XMLHTTPRequests
to my server and retrieve all data that is avaliable? If this can be
done then how can I protect against it?

One idea I have is to track user using cookie and control how often he
is requesting data and limit number of requests that are coming in
session, but I think that this is not enough.

As fairly new to js, ajax and cherrypy I would appreciate any ideas or
references regarding this problem. I know that there is no method that
will protect it completely, I just want to make it not trivial.

Regards,
Łukasz

Lukasz Michalski schrieb: There is no difference in calling a URL with XMLHTTPRequest, it's just
ordinary HTTP {GET|POST|...}

cheers
  Paul


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-users@...
To unsubscribe from this group, send email to cherrypy-users-unsubscribe@...
For more options, visit this group at http://groups.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Lukasz Michalski wrote:
> ...can someone send thousands of XMLHTTPRequests
> to my server and retrieve all data that is avaliable? If this can be
> done then how can I protect against it?
>
> One idea I have is to track user using cookie and control how often he
> is requesting data and limit number of requests that are coming in
> session, but I think that this is not enough.

Typically, the first step is limiting the requests based on IP address.
Depending on your server stack (i.e. whether you use
Apache/lighttpd/other/none), you could start by tracking
cherrypy.request.remote.ip. There are ways to spoof that and/or work
around it, but it's a good first line of defense.


Robert Brewer
fumanchu@...


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-users@...
To unsubscribe from this group, send email to cherrypy-users-unsubscribe@...
For more options, visit this group at http://groups.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Lukasz Michalski wrote:
What is it that you want to "protect"?  Your web site is offering
information to the public.  That's its purpose.  If there is information
you do not want to publish, then don't publish it.

Thousands of XmlHttpRequests will complete in a small number of
seconds.  I just don't see the danger.  Sure, it's possible for someone
to attempt a denial-of-service attack by flooding you with many millions
of requests, but that's just one of he inherent risks in any web site.

--
Tim Roberts, timr@...
Providenza & Boekelheide, Inc.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-users@...
To unsubscribe from this group, send email to cherrypy-users-unsubscribe@...
For more options, visit this group at http://groups.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Tim Roberts pisze:
>
> What is it that you want to "protect"?  Your web site is offering
> information to the public.  That's its purpose.  If there is information
> you do not want to publish, then don't publish it.
>

My web site is using database to construct web published pages. *Small
parts* of data from this database are retrieved by browser using
XMLHttpRequest and presented to visitors. Data range is delimited by
geographic coordinates.

Because replies to XMLHttpRequest URL contain only data in xml format it
takes a couple of seconds to replicate entire database using this URL -
just by passing different parameters to this request.

I would like to make it a little bit harder.

Regards,
Łukasz