How to prevent access to a URL except by my own client code?

I am using ASP.NET MVC with heavy jQuery client-side interaction. I have a jQuery chat window that polls the server at regular 7 second intervals to fetch updates. All of this works great, I have two action methods for handling the two main functions of the chat; one method is used to post messages to the chat and the other is used to retrieve updates.

My problem is that I'm having some users writing bots that are interacting with these URLs to post messages and get 开发者_Go百科updates. If one wanted to stop users from interacting with those URLs except through my own client code, how might one accomplish this?

I thought of passing in a GUID when the page loads and then passing back this GUID with every request, but I'm not sure this is the best way to do this. Also, what would stop them from writing an extra step into their bot program to do a normal GET request to the URL that loads the page and then parsing the response for the GUID?

Well, it's impossible to write code that acts in a way nobody else can simulate,... and the task is easily accomplished if your code is Javascript.

What you CAN do, is try to make it more difficult. Use some kind of authentication, obfuscate the code using a good obfuscator, etc. You'll never be 100% sure, though, unless you put captchas all over your site.

You can also halt the molesting user server-side with filters, validations and the like.

I would instead try to attack the reasons and benefits of using bots. The easiest way of making people stop using bots and scripts that work on top of your code, is to just provide the features they want yourself, in a way that doesn't bother you.

This is a rather difficult problem, as your client code is in essence no different than the bots, which are clients as well. One thing you could do is implement some kind of CAPTCHA checks for login, and possibly intermittently for posting messages, however this is likely to irritate your real users. So I'm not sure if there is a very elegant and smooth solution available here.

Chat clients have existed since the dawn of the Internet and I know of a very popular one: IRC. They have the exact same problem: how do you identify a bot? Seeing as it's still a problem these days I think it's safe to say you can't.

There are perhaps some heuristics you could use to detect bots but it's a cat and mouse game. A CAPTCHA is just a cat and mouse game too, albeit one on the cutting edge.