How to prevent access to a URL except by my own client code?

Question

I am using ASP.NET MVC with heavy jQuery client-side interaction. I have a jQuery chat window that polls the server at regular 7 second intervals to fetch updates. All of this works great, I have two action methods for handling the two main functions of the chat; one method is used to post messages to the chat and the other is used to retrieve updates.

My problem is that I'm having some users writing bots that are interacting with these URLs to post messages and get updates. If one wanted to stop users from interacting with those URLs except through my own client code, how might one accomplish this?

I thought of passing in a GUID when the page loads and then passing back this GUID with every request, but I'm not sure this is the best way to do this. Also, what would stop them from writing an extra step into their bot program to do a normal GET request to the URL that loads the page and then parsing the response for the GUID?

Answer 1

Well, it's impossible to write code that acts in a way nobody else can simulate,... and the task is easily accomplished if your code is Javascript.

What you CAN do, is try to make it more difficult. Use some kind of authentication, obfuscate the code using a good obfuscator, etc. You'll never be 100% sure, though, unless you put captchas all over your site.

You can also halt the molesting user server-side with filters, validations and the like.

I would instead try to attack the reasons and benefits of using bots. The easiest way of making people stop using bots and scripts that work on top of your code, is to just provide the features they want yourself, in a way that doesn't bother you.