Jump to content
Sign in to follow this  
Yaron

Protecting mis-use of server resources

Recommended Posts

As part of a service I'm writing using mars, I'm exposing a sign-up page for users to sign up to the service.

However, I want to prevent attacks on the service by bots and possibly detect multiple accidental clicks on the submit button.

 

Right now the way I'm considering doing this is by keeping a list of IP addresses and verifying that only one sign-up per time-frame is allowed.

 

I have two questions:
1. Using MARS, how do I read the client's IP address?

2. Are there other recommendations for defending mars?

 

  • Thanks 1

Share this post


Link to post

I do it in the TMARShttpServerIndy.OnConnect, that is a TIdServerThreadEvent = procedure(AContext: TIdContext) of object;

Client's Ip address: AContext.Binding.PeerIP

 

Pieter

Share this post


Link to post
48 minutes ago, pietrt said:

I do it in the TMARShttpServerIndy.OnConnect, that is a TIdServerThreadEvent = procedure(AContext: TIdContext) of object;

Client's Ip address: AContext.Binding.PeerIP

 

Pieter

I'm using ISAPI, not Indy for the server-side code, so I can't get the IP the way you suggest.

 

I'm hoping for a more generic approach that will work in all MARS output modes (stand-alone application EXE, ISAPI, etc)

Share this post


Link to post

I believe I figured it out, here's how to show a pop-up dialog with the IP address:

 

In "Server.Ignition.pas" CreateEngine, I added :

    FEngine.OnBeforeHandleRequest :=
      function (AEngine: TMARSEngine; AURL: TMARSURL; ARequest: TWebRequest; AResponse: TWebResponse; var Handled: Boolean ) : Boolean
      begin
        Result := True;
        ShowMessage(ARequest.RemoteIP);
      end;

And also had to add "MARS.Core.URL, Web.HTTPApp" to the "uses" section.

 

Share this post


Link to post

However, the above did not fully solve my problem, it would have been better if there was a way to get the IP from within functions that are called by mars in Server.Resources, otherwise I'm not sure how to connect the IP from Server.Ignition to an action in Server.Resources in a multi-threaded environment.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×