an ASP.NET, C# technical blog, by Gianni Tropiano

Anti-Referrer-Spam-Bot-Trap Updated

by CodeGolem 4. November 2010 11:08

In my previous post I talked about a Module-and-Handler to stop referrer spam.

Well, I worked out a smarter version which uses a single HttpModule alernative:

This is the new implementation of the BeginRequest event handler of the Module:


/// <summary>
/// Handles referral requests
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
void context_BeginRequest(object sender, EventArgs e)
{
    HttpContext context = ((HttpApplication)sender).Context;

    // no action for requests already authorized, without referrer or whose referrer is in the current domain
    if (!(context.CurrentHandler is System.Web.UI.Page) || context.Session["_authorized"] != null || context.Request.UrlReferrer == null || context.Request.UrlReferrer.Authority.ToLower() == context.Request.Url.Authority.ToLower())
    {
        UnsetBadIp();
        return;
    }

    // sets no cacheability
    context.Response.Cache.SetNoStore();
    context.Response.Cache.SetCacheability(HttpCacheability.NoCache);

    // refuses requests from BAD IPs
    if (isBadIp())
    {
        TerminateRequest();
    }
    else
    {
        // flags the current IP as BAD
        SetBadIp();

        context.Response.Write("<html><head><script type='text/javascript'>function redirect() { window.location.reload(); }</script><body onmouseover='redirect()'>Redirecting to the requested URL. <a href='javascript:redirect()'>Click here</a> if you are not redirected automatically.</body></html>");
        context.Session["_authorized"] = true;

        context.Response.StatusCode = 205;
        context.Response.End();
    }
}

In this version it is the HttpModule itself that issues the client-challanging javascript code.

The first request to any Page is not served: a session variable is set to keep track of the request, and the javascript is issued instead, with a 205 HTTP Status Code (Document Reset... that means further action is required to the client).

If the client sucessfully executes the challange-javascript (a simple page refresh), the HttpModule allows the original handler (Page) to be executed.

Comments are welcome!

Happy coding!

Tags: , , ,

ASP.NET

Add comment



  Country flag

biuquote
  • Comment
  • Preview
Loading



Recent Posts

Sponsored By

iziCommerce

e-commerce has

never been so izi!

Try our online store!