Protecting mis-use of server resources

[Yaron 53]

As part of a service I'm writing using mars, I'm exposing a sign-up page for users to sign up to the service.

However, I want to prevent attacks on the service by bots and possibly detect multiple accidental clicks on the submit button.

 

Right now the way I'm considering doing this is by keeping a list of IP addresses and verifying that only one sign-up per time-frame is allowed.

 

I have two questions:
1. Using MARS, how do I read the client's IP address?

2. Are there other recommendations for defending mars?

 

[pietrt 1]

I do it in the TMARShttpServerIndy.OnConnect, that is a TIdServerThreadEvent = procedure(AContext: TIdContext) of object;

Client's Ip address: AContext.Binding.PeerIP

 

Pieter

[Yaron 53]

48 minutes ago, pietrt said:

I do it in the TMARShttpServerIndy.OnConnect, that is a TIdServerThreadEvent = procedure(AContext: TIdContext) of object;

Client's Ip address: AContext.Binding.PeerIP

 

Pieter

I'm using ISAPI, not Indy for the server-side code, so I can't get the IP the way you suggest.

 

I'm hoping for a more generic approach that will work in all MARS output modes (stand-alone application EXE, ISAPI, etc)

[Yaron 53]

I believe I figured it out, here's how to show a pop-up dialog with the IP address:

 

In "Server.Ignition.pas" CreateEngine, I added :

    FEngine.OnBeforeHandleRequest :=
      function (AEngine: TMARSEngine; AURL: TMARSURL; ARequest: TWebRequest; AResponse: TWebResponse; var Handled: Boolean ) : Boolean
      begin
        Result := True;
        ShowMessage(ARequest.RemoteIP);
      end;

And also had to add "MARS.Core.URL, Web.HTTPApp" to the "uses" section.

 

[Yaron 53]

However, the above did not fully solve my problem, it would have been better if there was a way to get the IP from within functions that are called by mars in Server.Resources, otherwise I'm not sure how to connect the IP from Server.Ignition to an action in Server.Resources in a multi-threaded environment.