不可直接访问的登录表单是否可以帮助阻止漫游器? [英] Does a non directly accessible login form help deter bots?
问题描述
我阅读了一种可能的措施来过滤垃圾邮件,并希望获得意见(建议).
I read one possible measure to filter out spambots and want to get opinions (advice).
度量是这样的:
1)无法直接访问登录表单.我的意思是,如果有人进入www.domain.com/login.php,他将被重定向到索引或类似的内容.
1) Login form is not directly accessible. I mean if someone enters www.domain.com/login.php he would be redirected to index or something like this.
2)在index.php上是登录按钮.访客单击登录"时,将显示弹出式登录表单.登录后,我检查$ _SERVER ["HTTP_REFERRER"].如果不是login.php,则错误(失败)
2) On index.php is button Login. When visitor clicks on Login, popup login form appears. Upon login I check $_SERVER["HTTP_REFERRER"]. If it is not login.php, then error (fail)
这种措施有用吗?可能代替$ _SERVER ["HTTP_REFERRER"]可能使用其他东西了吗?这样的方法完全合理吗?
Is such measure useful? May be instead of $_SERVER["HTTP_REFERRER"] may use something else? Is such method reasonable at all?
推荐答案
我会说:不是真的.但是有更好的解决方案,请参见下文.
I would say: NOT REALLY. But there's a better solution, see below.
问题是,好的机器人可以做人类也可以做的所有事情.大多数机器人甚至比人类更好",因为他们知道登录系统的工作原理等!使用JavaScript/Iframe/AJAX结构来防止漫游器将有助于防止主流搜寻器仅搜索文本输入和密码输入形式.即使您的网站使用了超级棒的间接访问登录表单,也有人可能会为该用例构建一个机器人.
The problem is, good bots can do everything that humans can do too. Most bots are even "better" then humans, because they know how login systems work etc.! Using JavaScript/Iframe/AJAX-constructs to prevent bots will help against mainstream crawlers that simply search for text-input and password-input forms. And even if your site uses superawesome indirect-accessable login forms, even then someone might build a bot for exactly that use case.
一个很好的解决方案:
-
使用延时登录阻止程序!这里有一个有关如何在严重登录失败之后延迟(甚至阻止)登录attemts的教程:首次失败登录后,请另外使用高端验证码.
Additionally use a high-end captcha after the first failed login.
对于真正的坏蛋:如果您从特殊IP上登录失败,请阻止该IP.这是相当先进的方法,但却是一种常见的做法.
For the really bad guys: If you get masses of login fails from a special IP, then block this IP. This is quite advanced, but a common practice.
(请注意:本教程的作者仍然使用mysql_query,它已经过时了多年.您应该使用mysqli或PDO来做.)
(please note: the author of this tutorial still uses mysql_query, which is outdated for years now. you should do it with mysqli or PDO.)
这篇关于不可直接访问的登录表单是否可以帮助阻止漫游器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
