Subversion Repositories php_clientchallenge

Rev

Rev 2 | Go to most recent revision | Last modification | View Log | RSS feed

Last modification

Path Last modification Log RSS

Server requests using client challenges

What is it?

This PHP/JavaScript package can be used to add client challenges on top of your

AJAX requests to protect your scripts against brute-force or DoS attacks.

It can also protect your server against resource starvation attacks, for example,

if you have a login script that uses a complex hash algorithm like BCrypt.

Usage example

A usage example is located in the directory example/

System requirements

Program flow

1. Request from Client to Server (Get Challenge)

Request parameters:

The server will generate a secret random number between Min and Max.

The difference between Min and Max is the complexity constant.

Response:

Additionally, the server will create a "transaction file" (which prevents a replay attack). The filename is Hash_HMAC(IP+Random, ServerSecret).

The client will now brute-force all values to find the random value between Min and Max.

2. Request from Client to Server (Solve Challenge and request the resource)

Request parameters:

The server will do:

Note: Depending on when you solve the challenge, you should decide on a fitting timeout value, e.g.

Reporting a bug

You can file a bug report here:

Support

If you have any questions or need help, please contact us:

https://www.viathinksoft.com/contact/daniel-marschall