I do not want to stop the user from clicking the same ajax button many times, but I want to exercise some control to prevent someone from maliciously clicking the button repeatedly which would cause repeated database requests. What is simple way to handle this on a jquery .post in asp.net mvc? If I put in a time delay, the experience client side will be ruined (?)
+6
A:
Why not disable the button after it is clicked, and then re-enable it once you have received the response from the server?
amdfan
2009-02-05 22:50:21
duplicate of my answer
AdamRalph
2009-02-05 23:23:57
Simple, effective, there are ways to send requests without clicking the button but you just want to make it difficult enough for the average joe to be discouraged from doing it.
Mark Robinson
2009-02-05 23:55:23
@AdamRalph: sorry! but not intentionally at all. you were 16 seconds ahead of me
amdfan
2009-02-06 03:30:22
+1
A:
You can put the button on a timer so once pressed, it will be disabled for X seconds or until it receives a response from the server.
Logan5
2009-02-05 22:52:32
+2
A:
set a flag in your javascript indicating pending request, once response arrives unset the flag.
This way user can click button as many times as he wishes, there's gonna be only one 'active' request to the server.
CountZero
2009-02-05 22:55:06
+2
A:
Why don't you keep track of how many times the user is pressing the button, and every one or one-half second, you run the method to submit the query along with the number of clicks (or don't do anything if no clicks are made). Also, in the method reset the number of clicks to 0 so the next query will be accurate.
Mike
2009-02-05 22:57:36
+3
A:
This is not a client-side issue and can only be handled on the server side. If an AJAX request is being made, then a malicious user can make the AJAX request directly to your server directly through HTTP--it's quite trivial even for newbies using something like WFtech or Curl.
Not to state the obvious, but if a user can click a button multiple times, then so can an adversary and there's no way of really determining who is who. You can do some kind of throttling to limit it to x clicks per y seconds etc but then the adversary can also throttle his click rate.
aleemb
2009-02-05 23:01:18
+1 for being right ;-) The server-side script that processes the AJAX requests can and should limit the rate at which it makes database requests.
David Zaslavsky
2009-02-05 23:18:24
hmm, request to the server is a request to the server, AJAX or not, malicious user can cause DoS, wether application uses AJAX or not. I belive point is to stop legitimate users from making too many requests at a time. ( tokens could be used to verify requests source )
CountZero
2009-02-05 23:18:51
@CountZero, this is not a DoS issue. Tokens don't work because the adversary can also get tokens.
aleemb
2009-02-06 12:17:37
+1
A:
An approach that applies in fact to any post made is to add a random token generated by client. When the server receives the post the first time it records the token, any subsequent request coming with the same token is then ignored.
I heard about that on .Net Rocks #367 with Udi Dahan
Simon Laroche
2009-02-05 23:15:29