Hello, is there a way to protect site against refresh/F5 spam attacks
I found out you can overload/crash a vb site just by keeping F5 pressed, this is crazy
is there a way to limit page refresh to once per every x minutes, cookie based if possible
if not possible can you at least disable F5 & ctr+R without making refresh completely impossible

Hello, is there a way to protect site against refresh/F5 spam attacks
I found out you can overload/crash a vb site just by keeping F5 pressed, this is crazy
is there a way to limit page refresh to once per every x minutes, cookie based if possible
if not possible can you at least disable F5 & ctr+R without making refresh completely impossible

While this is an older article, it was recently updated (2020) and it may help you figure something out on this!

https://www.c-sharpcorner.com/blogs/disable-f5-key-button-and-browser-refresh

These articles as well...

https://coderanch.com/t/603666/java/Prevent-Multiple-Page-Refresh

http://aspalliance.com/687_Preventing_Duplicate_Record_Insertion_on_Page_ Refresh

Maybe there is code in this addon that can be used?
https://vbulletin.org/forum/showthread.php?t=221739

While this is an older article, it was recently updated (2020) and it may help you figure something out on this!

https://www.c-sharpcorner.com/blogs/disable-f5-key-button-and-browser-refreshThank you. I could disable f5 key but not ctr+R which does the same. Not sure how to include ctr+R in there.

These articles as well...

https://coderanch.com/t/603666/java/Prevent-Multiple-Page-Refresh

http://aspalliance.com/687_Preventing_Duplicate_Record_Insertion_on_Page_ Refresh

Maybe there is code in this addon that can be used?
https://vbulletin.org/forum/showthread.php?t=221739

Thanks, I checked that addon but it's very old and for vb3 so not sure if safe for vb4.
That 1st link is interesting but not sure how to include that code between the <% %> tags.
Is is compatible with the <script> tag?


Sorry to ask instead of testing but I have no offline test site right now, so want to be sure what I'm doing isn't going to break things badly.

Thank you. I could disable f5 key but not ctr+R which does the same. Not sure how to include ctr+R in there.

See Post #5 here:
https://stackoverflow.com/questions/2767126/how-to-detect-that-ctrlr-was-pressed


This is the code I'm using to disable refresh on IE and firefox (This works well for F5, Ctrl+F5 and Ctrl+R)

<script language="javascript" type="text/javascript">
//this code handles the F5/Ctrl+F5/Ctrl+R
document.onkeydown = checkKeycode
function checkKeycode(e) {
var keycode;
if (window.event)
keycode = window.event.keyCode;
else if (e)
keycode = e.which;

// Mozilla firefox
if ($.browser.mozilla) {
if (keycode == 116 ||(e.ctrlKey && keycode == 82)) {
if (e.preventDefault)
{
e.preventDefault();
e.stopPropagation();
}
}
}
// IE
else if ($.browser.msie) {
if (keycode == 116 || (window.event.ctrlKey && keycode == 82)) {
window.event.returnValue = false;
window.event.keyCode = 0;
window.status = "Refresh is disabled";
}
}
}
</script>

See Post #5 here:
https://stackoverflow.com/questions/...lr-was-pressed

I have added it to the header template and it did nothing.

the code below works for F5, do you know how to change it to include CTR key too?

<script type = "text/javascript">
window.onload = function () {
document.onkeydown = function (e) {
return (e.which || e.keyCode) != 116;
};
}
</script>


----
***edit found the solution, use this to disable ctrl key :

<script type = "text/javascript">
document.addEventListener("keydown", function (event) {
if (event.ctrlKey) {
event.preventDefault();
}
});
</script>

works in combination with the above F5 script

Now I've got another problem, the above blocks any combination of CTRL+? including copy/paste which is useful. Any way to block only CTRL+R ?


***edit, I have found one that works for CTRL+R only and still allows other CTRL combinations

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function () {
$(document).on("keydown", function(e) {
e = e || window.event;
if (e.ctrlKey) {
var c = e.which || e.keyCode;
if (c == 82) {
e.preventDefault();
e.stopPropagation();
}
}
});
});
</script>

The script you provided blocks the Ctrl+R key combination, which is commonly used to refresh a page. However, it doesn't block the F5 key, which is also commonly used for refreshing. Additionally, relying solely on JavaScript for security or anti-spam measures is not foolproof, as users can disable JavaScript or bypass it using browser developer tools.

Here's an improved version of your script that blocks both F5 and Ctrl+R:
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function () {
$(document).on("keydown", function(e) {
if (e.which == 116 || (e.ctrlKey && e.which == 82)) { // 116 is F5, 82 is 'R' key
e.preventDefault();
e.stopPropagation();
}
});
});
</script>

However, while this script can deter casual users from constantly refreshing the page, it's not a robust solution against determined users or bots. Here are some additional measures you can consider:

Server-Side Rate Limiting: Implement rate limiting on your server to prevent clients from making too many requests in a short period of time. This is a more robust solution as it doesn't rely on client-side behavior.
Caching: Use caching mechanisms to serve static content, reducing the load on your server.
User Feedback: Provide feedback to users when they refresh too often, such as a warning message.
Monitoring & Analytics: Monitor user behavior on your site. If you notice patterns of abuse, you can take appropriate action.
CAPTCHA: If you suspect bot activity, consider implementing a CAPTCHA challenge after a certain number of refreshes.

Remember, while client-side measures can be helpful, they can be bypassed. Server-side measures are more robust and harder to circumvent.

Use/Test at your own risk :p and don't forget to correct the file paths in the code (based around vB4)

Implementing a CAPTCHA challenge after a certain number of refreshes in vBulletin 4 requires a combination of client-side and server-side scripting. Here's a step-by-step guide to achieve this:

1. Client-Side Scripting:
First, we'll use JavaScript to count the number of page refreshes.

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
var refreshCount = localStorage.getItem('refreshCount') || 0;

$(document).ready(function () {
refreshCount++;
localStorage.setItem('refreshCount', refreshCount);

if (refreshCount > 5) { // Change 5 to the number of refreshes you want to allow before triggering CAPTCHA
$.ajax({
url: 'path_to_your_vbulletin/captcha_trigger.php',
method: 'POST',
data: { triggerCaptcha: true },
success: function(response) {
if (response === 'show_captcha') {
// Redirect to a page or pop up a modal to show the CAPTCHA challenge
window.location.href = 'path_to_your_vbulletin/show_captcha.php';
}
}
});
}
});
</script>



2. Server-Side Scripting:
captcha_trigger.php:

This script will handle the AJAX request and set a session variable to trigger the CAPTCHA.
<?php
session_start();

if (isset($_POST['triggerCaptcha']) && $_POST['triggerCaptcha'] == true) {
$_SESSION['show_captcha'] = true;
echo 'show_captcha';
}
?>



show_captcha.php:

This script will display the CAPTCHA challenge to the user.
<?php
session_start();

if (isset($_SESSION['show_captcha']) && $_SESSION['show_captcha'] == true) {
// Display your CAPTCHA challenge here. You can use vBulletin's built-in CAPTCHA or integrate with a third-party service like reCAPTCHA.

// After displaying the CAPTCHA, reset the session variable
$_SESSION['show_captcha'] = false;
} else {
// If the session variable is not set, redirect the user back to the main page
header('Location: path_to_your_vbulletin/main_page.php');
}
?>


3. Integration with vBulletin:

Add the client-side script to the footer or header template of your vBulletin theme so it runs on every page load.
Place the server-side scripts (captcha_trigger.php and show_captcha.php) in the root directory of your vBulletin installation or an appropriate sub-directory.
Ensure that the paths in the AJAX request and redirection match the locations of your server-side scripts.


This solution will present a CAPTCHA challenge to the user after they refresh the page a certain number of times. Adjust the threshold as needed. Remember to test thoroughly before deploying to a live environment, I recommend using a staging environment / cloned or copied version of your main site.

@TheLastSuperman
now I have another problem with the js library
https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js

I has caused a bunch of other problems on the page.
Any way to implement this with the native jquery of vb4 ?

Certainly! You can use the native jQuery that comes with vBulletin instead of loading it from Google's CDN. Here's how you can modify the client-side script to use vBulletin's native jQuery and integrate a CAPTCHA after a certain number of refreshes:

<script type="text/javascript">
// Assuming vBulletin's jQuery is already loaded and available as jQuery or $j instead of $
var refreshCount = localStorage.getItem('refreshCount') || 0;

$j(document).ready(function () {
refreshCount++;
localStorage.setItem('refreshCount', refreshCount);

if (refreshCount > 5) { // Change 5 to the number of refreshes you want to allow before triggering CAPTCHA
$j.ajax({
url: 'captcha_trigger.php', // Adjust the URL to the location of your server-side script
type: 'POST',
data: { triggerCaptcha: true },
success: function(response) {
if (response === 'show_captcha') {
// Redirect to a page or pop up a modal to show the CAPTCHA challenge
window.location.href = 'show_captcha.php'; // Adjust the URL to the location of your CAPTCHA page
}
}
});
}
});
</script>

For the server-side PHP scripts, you can use the same code provided in the previous reply, but make sure the paths match the actual locations of the scripts in your vBulletin directory. Remember to place the client-side script in a template that's included on every page, such as the footer or header template. This way, it will track the refresh count consistently across the site.

Also, ensure that your server-side scripts are secure and validate the session correctly to prevent any security issues. It's important to test this thoroughly to make sure it doesn't interfere with the normal user experience for those who are not spamming the refresh button.

Let me know if that works out :).