On the client side
If it’s not enabled, we may redirect the user to an error page.
How its made? With the
<noscript> HTML tag.
What’s wrong with this method? This test will be made on the client side,
and as you already know, the user could fool us if, for example,
they delete the code between the
On the server side
What are we going to do?
- We will force the user to make an AJAX request from the client side on the main page.
- The endpoint listening to the request, once called, is going to set a cookie on the browser.
index.html: that we will assume that is the main entry point for our site.
Let’s draw some code
You have to be very careful at this point, because if your site has more than one entry point, you may refer to put this code in a different file and you should include it there.
Setting the cookie
We are going to set a MD5 hash as the value of the cookie so it will be harder for the user to fake it. Of course this practice won’t be useful at all if you always use the same word for hashing.
Note: the cookie could be faked even by doing this, there is no perfect method to ensure ‘the perfect identifier hash of the death’ but here you can let your imagination run free.
Looking for cookies
should be looking for the
js cookie right now!
As easy as that, if the cookie is not set or the hash value is not
the desired one, you do a simple redirect to another page (by the way, why you should
exit(): The daily WTF).
You should be checking things like:
- Is the user really doing a ‘genuine’ POST request?
- Does it comes from an AJAX request?
- Do you send things through the POST request (to combine and hash) that can be faked?
Those things are impossible to know sure-fire, so you can complicate this method until infinity, it depends on your necessity.