prevent log on to web application by programming

Question

I am working on a web application which provide some services for its users who has accounts to log on to the web application. as you already probably know, it is possible to programmatically log in to web sites by providing username and password and sometime a catcha code. As I know it is possible to simulate the request programmatically. for example in c# we can make a request and fill all request headers such as User-Agent, Referer, .. and send it to the server in order to log in. However, my question is how can I prevent users from logging in into web application via something other than browsers?

Thanks.

Answer 1

You can't. Timing, CAPTCHA and honeypot fields and using Javascript are common ways to prevent most robots, but someone dedicated to specifically targeting your site will find a way to simulate a genuine user.

Answer 2

All you can do it raise the barrier as high as you are able, and as high as is acceptable for your users. Security is always a trade-off against convenience.

There are ways you can raise the barrier, but each method's application varies across applications. For example, you could sniff the user agent and check it against a list and reject anything that isn't defined as a browser on your list. That kind of thing works for me in an internal situation where we have specific policies and controls over the browsers employees can use. For a web application however it would likely fail as the list would need to be managed, and people in the outside world probably know how to spoof their user agent anyway.

So it all depends. You need to consider the vectors around where your threats are coming from and guard against those threats as best you can rather than trying a blanket approach.