How do I protect against ajax-spam in PHP?

Question

Good day,

I would like to know how to protect my website from ajax-spam. I'm looking to limit any ajax action per users. Let's say 8 ajax-actions per minute.

An example of an action would be: a button to add/remove a blog posts "as my favorites".

Unless I'm wrong, I believe the best way would be using $_SESSION's variable and to avoid someone/a bot to clear cookies to avoid my protection. I'm allowing ajax-functions only to logged-on users.

Using database would make my protection useless because it's the unwanted database's writes I'm trying to avoid.

I have to mention that I actually use PHP as server-language and jQuery to proceeds my ajax calls.

Thank you

Edit:

The sentense

... to protect my website ...

is confusing but it's not about cross-domain ajax.

Edit 2011-04-20: I added a bounty of 50 to it.

Answer 1

Since you're only allowing AJAX actions to logged in users, this is really simple to solve.

• Create a timestamp field for each account. You can do this in the database, or leverage Memcached, or alternatively use a flat file.
• Each time the user makes a request through your AJAX interface, add the current timestamp to your records, and:
• Check to make sure the last eight timestamps aren't all before one minute ago.

From there you can add additional magic, like tempbanning accounts that flagrantly violate the speed limit, or comparing the IPs of violators against blacklists of known spammers, et cetera.