Subversion Repositories php_clientchallenge

Rev

Rev 12 | Last modification | Compare with Previous | View Log | RSS feed

Last modification

Path Last modification Log RSS
[NODE] [DIRECTORY] cache/ 7  2022-10-22 15:11:06 daniel-marschall Log RSS
[NODE] [DIRECTORY] example/ 8  2022-10-22 15:26:49 daniel-marschall Log RSS
[NODE] [FILE] .gitattributes 3  2021-06-06 01:48:42 daniel-marschall Log RSS
[NODE] [FILE] .gitignore 7  2022-10-22 15:11:06 daniel-marschall Log RSS
[NODE] [DB-FILE] ClientChallenge.class.php 11  2022-10-23 18:03:52 daniel-marschall Log RSS
[NODE] [DB-FILE] ClientChallenge.js 6  2022-10-22 11:22:28 daniel-marschall Log RSS
[NODE] [FILE] composer.json 13  2023-04-10 00:27:21 daniel-marschall Log RSS
[NODE] [FILE] LICENSE 2  2021-06-06 01:34:14 daniel-marschall Log RSS
[NODE] [FILE] phpstan.neon.dist 10  2022-10-22 21:32:26 daniel-marschall Log RSS
[NODE] [FILE] README.md 12  2022-10-25 00:49:43 daniel-marschall Log RSS

Server requests using client challenges

What is it?

This PHP/JavaScript package can be used to add client challenges on top of your

AJAX requests to protect your scripts against brute-force or DoS attacks.

It can also protect your server against resource starvation attacks, for example,

if you have a login script that uses a complex hash algorithm like BCrypt.

Usage example

A usage example is located in the directory example/

System requirements

Program flow

1. Request from Client to Server (Get Challenge)

Request parameters:

The server will generate a secret random number between Min and Max.

The difference between Min and Max is the complexity constant.

Response:

Additionally, the server will create a "transaction file" (which prevents a replay attack). The filename is Hash_HMAC(IP+Random, ServerSecret).

The client will now brute-force all values to find the random value between Min and Max.

2. Request from Client to Server (Solve Challenge and request the resource)

Request parameters:

The server will do:

Note: Depending on when you solve the challenge, you should decide on a fitting timeout value, e.g.

Reporting a bug

You can file a bug report here:

Support

If you have any questions or need help, please contact us:

https://www.viathinksoft.com/contact/daniel-marschall