so I got a button on my site with method equal to POST. Some users spam-click the button and make many controller function calls in 1 second, which messes up the checks within my controller function. How do I prevent that?
Asked
Active
Viewed 525 times
0
Just Another Guy
- 77
- 1
- 2
- 9
-
Does this answer your question? [Prevent Multiple Submitting in one button laravel](https://stackoverflow.com/questions/50421591/prevent-multiple-submitting-in-one-button-laravel) – Collin Jun 11 '20 at 06:55
-
I do disable the button with JS, but they somehow manage to go around it. I need a server-side check. – Just Another Guy Jun 11 '20 at 07:12
-
Does [rate limiting](https://laravel.com/docs/7.x/routing#rate-limiting) help? Sidenote: If they bypass the disabled button it might mean they are bots which (most of the time) can be "blocked" with [`robots.txt`](https://developers.google.com/search/reference/robots_txt) – apokryfos Jun 11 '20 at 07:14
-
Take a look at the awnser actually provided in the link. Or take a look at the awnser of Digvijay. Or maybe it might be easy to actually show your code? – Collin Jun 11 '20 at 07:14
-
Yea, rate limiting should work, but I never used it. My route is `Route::post('/affiliate/enter', 'AffiliateController@update')->name('aff_enter');` How do I limit the rate ONLY for this route? – Just Another Guy Jun 11 '20 at 07:22
-
```Route::middleware('throttle:60,1')->post('/affiliate/enter', 'AffiliateController@update')->name('aff_enter');``` See https://laravel.com/docs/7.x/routing#rate-limiting – Musa Jun 11 '20 at 08:03
-
Also search for "post form honeypot" to trick malicious bots. – Tpojka Jun 11 '20 at 18:03
1 Answers
1
csrf tokens
Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user.
<form method="POST" action="/profile">
@csrf
...
</form>
The VerifyCsrfToken middleware, which is included in the web middleware group, will automatically verify that the token in the request input matches the token stored in the session.
-
I do have @csrf in my code, but it doesn't seem to help. I'm looking for something more like a server side check within the controller. – Just Another Guy Jun 11 '20 at 07:01