使用PHP CURL防止远程脚本登录网站 [英] Prevent remote script using PHP CURL from logging into website

问题描述

有什么方法可以用来确保登录页面能够使用CURL通过远程PHP脚本登录？检查引荐来源网址和用户代理不会工作，因为可以使用CURL设置。理想的解决方案将是解决这个问题，而不使用CAPTCHA，这是这个问题的要点，试图找出是否可能。

What are some methods that could be used to secure a login page from being able to be logged into by a remote PHP script using CURL? Checking referrer and user agent won't work since those can be set with CURL. The ideal solution would be to solve this without using a CAPTCHA, that is the point of this question to try and figure out if this is possible.

推荐答案

一种方法是在您的登录表单中包含一些JavaScript，并使它不能成功提交表单，除非JavaScript已经运行。这使得你的登录表单只能用于开启JavaScript的人，CURL没有。如果必要的JavaScript是每次都不同的挑战/响应（例如使用类似 http：// www .ohdave.com / rsa / 以使它不重要），在表单中存在正确设置的值是JavaScript运行的好证据。

One approach is to include some JavaScript in your login form, and make it so that the form cannot possibly be successfully submitted unless that JavaScript has run. This makes your login form only usable for people with JavaScript turned on, which CURL doesn't have. If the necessary JavaScript is some kind of challenge/response that differs every time (for instance use something like http://www.ohdave.com/rsa/ to make it non-trivial), the presence of the correctly set value in the form is good evidence that JavaScript ran.

你将无法停止所有自动化脚本，但是编写用于驱动实际浏览器引擎的脚本是很容易的，他们将通过此测试。

You won't be able to stop all automated scripts though, it is easy enough to write scripts that drive an actual browser engine, and they will pass this test.

这篇关于使用PHP CURL防止远程脚本登录网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！