views:

68

answers:

3

I want to block non-browser clients from accessing certain pages / successfully making a request.

The website content is served to authenticated users. What happens is that our user gives his credentials to our website to 3rd party - it can be another website or a mobile application - that performs requests on his behalf.

Say there is a form that the user fills out and sends a message. Can I protect this form so that the server processing the submission can tell whether the user has submitted it directly from the browser or not?

I don't want to use CAPTCHA for usability reasons. Can I do it with some javascript?

+6  A: 

You can raise the bar using javascript, but anything a browser does, an automated system can do. At the very worst, they could automate a browser, but there will almost certainly be some easier way to simulate the operation.

In any case they can record the requests that the browser sends using a proxy, and work out whatever tricks you have the javascript do.

In terms of what springs to mind (to raise the bar) (using javascript):

  1. Change the location that the submit goes to.
  2. Change field names around at submit time.
  3. Hide fields that look like should be filled in.
  4. Encrypt/obfuscate form contents at submit time.
  5. Change GET to POST.

Another usability problem is that anybody who has javascript disabled won't be able to use the service at all. That might impact usability more than a CAPTCHA.

Douglas Leeder
that's what I was afraid to hear - but thanks
Tomas Kohl
A: 

There is only one way to do this, analyzing vendor string looking for browsers admitted, but if someone fakes the vendor string theres no way to keep away from submissions.

To know if a navigator is mozilla based with javascript :

var isMoz = window.navigator.userAgent.match(/^Mozilla/)?true:false;

with php you could try native function get_browser

markcial
This can still be spoofed.
Timothy Khouri
No, no an no. You will most likely break compatibility with __all__ browsers you do not _explicitely_ list here and it is ridiculously simple to circumvent this (say `wget -U "Mozilla"`). In summary; __this would do more harm than good__
Kimvais
i already said that it can be spoofed, i guess that a optimal solution should be use a proper htaccess configuration file banning the desired ips that seem to not be legit IMO.
markcial
+1  A: 

There is no reliable way to detect the HTTP agent - you will break the form for some browsers in any case - unless you can force users in to using a very limited set of browsers (but this can be spoofed again).

IMO, trying to limit the software that can be used to access the form, you should make sure that there is a real human controlling that software. Unfortunately there is no better way than captchas for doing this, unless all customer have access to biometric scanners.

Kimvais