How can I limit my php file that I use in ajaxRequest.open to be accessed through specific pages?
I want to use something like sessions to prevent remote form posting becuase many guessed passwords for a username can be checked through this way.
I know checking referrer is not a secure idea. Is auto blocking based on IP a secure one?
Is it a good idea to check if it is posted through Ajax and if not deny it because no one can remote post through Ajax? Is it really secure?
thanks in advance
You are mixing things up. AJAX relies on the HTTP protocol (eg: POST, GET) to work. So using AJAX will not stop people from forging queries. There is a header called HTTP_X_REQUESTED_WITH, but like anything coming from the client, it should not be trusted.
The concern about remote AJAX posting is related more to an exploit known as Cross-site remote forgery, or CSRF. One way to prevent this is by using CSRF tokens (read the wiki page). The problem you (seem to be) describing is something else.
When dealing with logins, I like to implement different failure thresholds:
If you are trying to login to an account and fail X times, you will be greeted with a CAPTCHA. This will prevent people from using bots to brute force a password, without inconveniencing (too much) legitimate users.
If you fail X+Y times, the account will be locked for a Z amount of time.
If it looks like a lot of failed logins are coming from your IP, it will be blocked.
