Spike-per-click button, it generates a spike address, write spike address is not dead, but to obtain from the server, dynamic mosaic of address (HTTP protocol is transmitted in the clear, front-end can not defend malicious users, so to be safe check on the server, so prohibiting off these malicious attacks), how this blog record spike interface address hidden for security optimization
Realization of ideas:
Before performing the spike, go to the rear end of the spike obtain a dynamic address path (as generated by the backend random string path), then the random string back to the front end, the front end of the strings together into a new URL (url : "/ miaosha /" + path + "/ do_miaosha") address as a spike, and then send the request to the back end begins to spike
Front-end code logic is as follows:
Get random string of interface code:
/**
* 获取秒杀的path,并且验证验证码的值是否正确
* 加入注解,实现拦截功能,进而实现限流功能
*/
@AccessLimit(seconds = 5, maxCount = 5, needLogin = true)
@RequestMapping(value = "/path", method = RequestMethod.GET)
@ResponseBody
public Result<String> getMiaoshaPath(MiaoshaUser user,
@RequestParam("goodsId") long goodsId,
@RequestParam(value = "verifyCode", defaultValue = "0") int verifyCode) {
if (user == null) {
return Result.error(CodeMsg.SESSION_ERROR);
}
boolean check = miaoshaService.checkVerifyCode(user, goodsId, verifyCode);
if (!check) {
return Result.error(CodeMsg.REQUEST_ILLEGAL);
}
String path = miaoshaService.createMiaoshaPath(user, goodsId);
return Result.success(path);
}createMiaoshaPath method code (generate a random number and encrypts a path, and for cache (cache expiration time provided 60s), and then returns to the front end of the random string):
/**
* 创建一个临时的秒杀地址
*/
public String createMiaoshaPath(MiaoshaUser user, long goodsId) {
if (user == null || goodsId <= 0) {
return null;
}
String str = MD5Util.md5(UUIDUtil.uuid() + "123456");
//将生成的随机字符串保存到redis
redisService.set(MiaoshaKey.getMiaoshaPath, "" + user.getId() + "_" + goodsId, str);
return str;
}Save to redis in the path as follows:
Then the path to authenticate before the spike:
checkPath method code (the tip came path and cache path is compared, if yes, logic may be performed following the spike, but is otherwise illegal request):
/**
* 验证秒杀地址
* @param user
* @param goodsId
* @param path
* @return
*/
public boolean checkPath(MiaoshaUser user, long goodsId, String path) {
if (user == null || path == null) {
return false;
}
String pathOld = redisService.get(MiaoshaKey.getMiaoshaPath, "" + user.getId() + "_" + goodsId, String.class);
return path.equals(pathOld);
}Coupled with a spike after the address of the interface can be hidden to prevent a malicious user after landing, by constantly calling spike address of the interface to harass server, so to get a dynamic address spike, spike only really click the button corresponding spike will be generated based on the user id and product id interface address
However, this still does not solve the frequent use of robots clicks the button, in order to reduce the number of clicks a button, and a highly concurrent, prevent multiple users at the same time, a large number of requests and issues, need to join a mathematical formula CAPTCHA and an interface optimization techniques such as anti-brush
