Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect registration page from multiple malicious requests?

I allow users to register on my website using a registration form. Once form is submitted a token will be generated and will be sent by email to user, they need to click on the token link to activate their account.

My question is that if I do it, do the malicious codes can still send multiple emails to my website to register, should I use Captcha to protect the website or there is any other method ?

like image 588
Jack Avatar asked Feb 14 '23 04:02

Jack


2 Answers

If all you want is to prevent double submissions, you can generate a unique token for the form that you check on submission. This requires some thought if there are multiple forms per page. Also, a simple method is to just disable the form/button on submission. This is even more effective if the form is submitted via Ajax (so that the action parameter of the form can be absent and thus not easily harvestable).

If you want to prevent automatic submissions (by bots), while Captcha is probably the strongest of the common methods, it is also very user-hostile. Instead, unless you have a reason to believe your site is being specifically targeted, it is usually enough to just use honey-pot fields (invisible fields that a human would never fill but a bot would) and hidden fields that you fill with a known value after a short delay using JS (a bot wouldn't normally execute JS nor take time to type into fields like a human). Simply doing an Ajax submission is also usually enough. I recommend using one or a mixture of these methods before falling back to Captcha.

like image 195
kaqqao Avatar answered Feb 15 '23 18:02

kaqqao


Captcha is one of the standard methods.

Another way is do not do a direct submit of the form.Use AJAXfied server calls sos that form does not get posted by itself but has some data scrambling of inner fields & delays the submissions.

$("#contactForm").submit(function(event) 
 {
     /* stop form from submitting normally */
     event.preventDefault();

     /* get some values from elements on the page: */
     var $form = $( this ),
         $submit = $form.find( 'button[type="submit"]' ),
         name_value = $form.find( 'input[name="name"]' ).val(),
         email_value = $form.find( 'input[name="email"]' ).val(),
         phone_value = $form.find( 'input[name="phone"]' ).val(),
         message_value = $form.find( 'textarea[name="message"]' ).val();


     /* Send the data using post */
     var posting = $.post( "contact-form-handler.php", { 
                       name: name_value, 
                       email: email_value, 
                       phone: phone_value, 
                       message: message_value 
                   });

     posting.done(function( data )
     {
         /* Put the results in a div */
         $( "#contactResponse" ).html(data);

         /* Change the button text. */
         $submit.text('Sent, Thank you');

         /* Disable the button. */
         $submit.attr("disabled", true);
     });
});</script>
like image 27
Rohitdev Avatar answered Feb 15 '23 18:02

Rohitdev