Prevent remote script using PHP CURL from logging into website

What are some methods that coul开发者_C百科d be used to secure a login page from being able to be logged into by a remote PHP script using CURL? Checking referrer and user agent won't work since those can be set with CURL. The ideal solution would be to solve this without using a CAPTCHA, that is the point of this question to try and figure out if this is possible.

One approach is to include some JavaScript in your login form, and make it so that the form cannot possibly be successfully submitted unless that JavaScript has run. This makes your login form only usable for people with JavaScript turned on, which CURL doesn't have. If the necessary JavaScript is some kind of challenge/response that differs every time (for instance use something like http://www.ohdave.com/rsa/ to make it non-trivial), the presence of the correctly set value in the form is good evidence that JavaScript ran.

You won't be able to stop all automated scripts though, it is easy enough to write scripts that drive an actual browser engine, and they will pass this test.

There isn't any way to prevent it simply. If the script knows the user name and password they will be able to login.

You could use a captcha so that automated logins won't be able to read it, but that will be a burden on actual users as well.

If you are concerned about it being used to try and brute force a login, then you could require some additional information after several attempts.

• Disable the account and require reactivation via email
• Require a captcha after several unsuccessful attempts

if I undestand correctly :

• you have login page what execute login script
• login script is hacked by remote cURL script...

Solution in login page place hidden element with secret unique code what can happend only once, save this secret code in session, in loging script look in session for this code, compare with what was posted to the script, should same to proceed, clear session...

more about subject: http://en.wikipedia.org/wiki/Cross-site_request_forgery

cURL is no different from any other client (e.g. a browser). You could use nonce tied to a session in a hidden input field to prevent POST requests from being made directly but there are still ways around that. It's also a good idea to limit the number of log in attempts per minute to make brute-force attacks more difficult if that's what you're worried about.