protection against refresh spam ?

[X-or]

Hello, is there a way to protect site against refresh/F5 spam attacks
I found out you can overload/crash a vb site just by keeping F5 pressed, this is crazy
is there a way to limit page refresh to once per every x minutes, cookie based if possible
if not possible can you at least disable F5 & ctr+R without making refresh completely impossible

[TheLastSuperman]

Quote:

Originally Posted by X-or

Hello, is there a way to protect site against refresh/F5 spam attacks
I found out you can overload/crash a vb site just by keeping F5 pressed, this is crazy
is there a way to limit page refresh to once per every x minutes, cookie based if possible
if not possible can you at least disable F5 & ctr+R without making refresh completely impossible

While this is an older article, it was recently updated (2020) and it may help you figure something out on this!

https://www.c-sharpcorner.com/blogs/...rowser-refresh

[Hostboard]

These articles as well...

https://coderanch.com/t/603666/java/...e-Page-Refresh

http://aspalliance.com/687_Preventin...n_Page_Refresh

Maybe there is code in this addon that can be used?
https://vbulletin.org/forum/showthread.php?t=221739

[X-or]

Quote:

Originally Posted by TheLastSuperman

While this is an older article, it was recently updated (2020) and it may help you figure something out on this!

https://www.c-sharpcorner.com/blogs/...rowser-refresh

Thank you. I could disable f5 key but not ctr+R which does the same. Not sure how to include ctr+R in there.

Quote:

Originally Posted by Hostboard

These articles as well...

https://coderanch.com/t/603666/java/...e-Page-Refresh

http://aspalliance.com/687_Preventin...n_Page_Refresh

Maybe there is code in this addon that can be used?
https://vbulletin.org/forum/showthread.php?t=221739

Thanks, I checked that addon but it's very old and for vb3 so not sure if safe for vb4.
That 1st link is interesting but not sure how to include that code between the <% %> tags.
Is is compatible with the <script> tag?


Sorry to ask instead of testing but I have no offline test site right now, so want to be sure what I'm doing isn't going to break things badly.

[TheLastSuperman]

Quote:

Originally Posted by X-or

Thank you. I could disable f5 key but not ctr+R which does the same. Not sure how to include ctr+R in there.

See Post #5 here:
https://stackoverflow.com/questions/...lr-was-pressed

Quote:

This is the code I'm using to disable refresh on IE and firefox (This works well for F5, Ctrl+F5 and Ctrl+R)

Code:

<script language="javascript" type="text/javascript">
    //this code handles the F5/Ctrl+F5/Ctrl+R
    document.onkeydown = checkKeycode
    function checkKeycode(e) {
        var keycode;
        if (window.event)
            keycode = window.event.keyCode;
        else if (e)
            keycode = e.which;

        // Mozilla firefox
        if ($.browser.mozilla) {
            if (keycode == 116 ||(e.ctrlKey && keycode == 82)) {
                if (e.preventDefault)
                {
                    e.preventDefault();
                    e.stopPropagation();
                }
            }
        } 
        // IE
        else if ($.browser.msie) {
            if (keycode == 116 || (window.event.ctrlKey && keycode == 82)) {
                window.event.returnValue = false;
                window.event.keyCode = 0;
                window.status = "Refresh is disabled";
            }
        }
    }
</script>

[X-or]

Quote:

See Post #5 here:
https://stackoverflow.com/questions/...lr-was-pressed

I have added it to the header template and it did nothing.

the code below works for F5, do you know how to change it to include CTR key too?

Code:

<script type = "text/javascript">
    window.onload = function () {
        document.onkeydown = function (e) {
            return (e.which || e.keyCode) != 116;
        };
    }
</script>

----
***edit found the solution, use this to disable ctrl key :

Code:

<script type = "text/javascript">
document.addEventListener("keydown", function (event) {
    if (event.ctrlKey) {
        event.preventDefault();
    }   
});
</script>

works in combination with the above F5 script

[X-or]

Now I've got another problem, the above blocks any combination of CTRL+? including copy/paste which is useful. Any way to block only CTRL+R ?


***edit, I have found one that works for CTRL+R only and still allows other CTRL combinations

Code:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function () {
    $(document).on("keydown", function(e) {
        e = e || window.event;
        if (e.ctrlKey) {
            var c = e.which || e.keyCode;
            if (c == 82) {
                e.preventDefault();
                e.stopPropagation();
            }
        }
    });
});
</script>

[TheLastSuperman]

The script you provided blocks the Ctrl+R key combination, which is commonly used to refresh a page. However, it doesn't block the F5 key, which is also commonly used for refreshing. Additionally, relying solely on JavaScript for security or anti-spam measures is not foolproof, as users can disable JavaScript or bypass it using browser developer tools.

Here's an improved version of your script that blocks both F5 and Ctrl+R:

Code:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function () {
    $(document).on("keydown", function(e) {
        if (e.which == 116 || (e.ctrlKey && e.which == 82)) { // 116 is F5, 82 is 'R' key
            e.preventDefault();
            e.stopPropagation();
        }
    });
});
</script>

However, while this script can deter casual users from constantly refreshing the page, it's not a robust solution against determined users or bots. Here are some additional measures you can consider:

• Server-Side Rate Limiting: Implement rate limiting on your server to prevent clients from making too many requests in a short period of time. This is a more robust solution as it doesn't rely on client-side behavior.
• Caching: Use caching mechanisms to serve static content, reducing the load on your server.
• User Feedback: Provide feedback to users when they refresh too often, such as a warning message.
• Monitoring & Analytics: Monitor user behavior on your site. If you notice patterns of abuse, you can take appropriate action.
• CAPTCHA: If you suspect bot activity, consider implementing a CAPTCHA challenge after a certain number of refreshes.

Remember, while client-side measures can be helpful, they can be bypassed. Server-side measures are more robust and harder to circumvent.

[TheLastSuperman]

Use/Test at your own risk and don't forget to correct the file paths in the code (based around vB4)

Implementing a CAPTCHA challenge after a certain number of refreshes in vBulletin 4 requires a combination of client-side and server-side scripting. Here's a step-by-step guide to achieve this:

1. Client-Side Scripting:
First, we'll use JavaScript to count the number of page refreshes.

Code:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
var refreshCount = localStorage.getItem('refreshCount') || 0;

$(document).ready(function () {
    refreshCount++;
    localStorage.setItem('refreshCount', refreshCount);

    if (refreshCount > 5) { // Change 5 to the number of refreshes you want to allow before triggering CAPTCHA
        $.ajax({
            url: 'path_to_your_vbulletin/captcha_trigger.php',
            method: 'POST',
            data: { triggerCaptcha: true },
            success: function(response) {
                if (response === 'show_captcha') {
                    // Redirect to a page or pop up a modal to show the CAPTCHA challenge
                    window.location.href = 'path_to_your_vbulletin/show_captcha.php';
                }
            }
        });
    }
});
</script>

2. Server-Side Scripting:
captcha_trigger.php:

This script will handle the AJAX request and set a session variable to trigger the CAPTCHA.

Code:

<?php
session_start();

if (isset($_POST['triggerCaptcha']) && $_POST['triggerCaptcha'] == true) {
    $_SESSION['show_captcha'] = true;
    echo 'show_captcha';
}
?>

show_captcha.php:

This script will display the CAPTCHA challenge to the user.

Code:

<?php
session_start();

if (isset($_SESSION['show_captcha']) && $_SESSION['show_captcha'] == true) {
    // Display your CAPTCHA challenge here. You can use vBulletin's built-in CAPTCHA or integrate with a third-party service like reCAPTCHA.
    
    // After displaying the CAPTCHA, reset the session variable
    $_SESSION['show_captcha'] = false;
} else {
    // If the session variable is not set, redirect the user back to the main page
    header('Location: path_to_your_vbulletin/main_page.php');
}
?>

3. Integration with vBulletin:

• Add the client-side script to the footer or header template of your vBulletin theme so it runs on every page load.
• Place the server-side scripts (captcha_trigger.php and show_captcha.php) in the root directory of your vBulletin installation or an appropriate sub-directory.
• Ensure that the paths in the AJAX request and redirection match the locations of your server-side scripts.

This solution will present a CAPTCHA challenge to the user after they refresh the page a certain number of times. Adjust the threshold as needed. Remember to test thoroughly before deploying to a live environment, I recommend using a staging environment / cloned or copied version of your main site.

[X-or]

@TheLastSuperman
now I have another problem with the js library
https://ajax.googleapis.com/ajax/lib.../jquery.min.js

I has caused a bunch of other problems on the page.
Any way to implement this with the native jquery of vb4 ?