A method and system for preventing illegal access to server

Abstract

The invention discloses a method and system for preventing illegal access to a server, wherein the prevention method includes: A1. The server generates a prompt code and a session identifier; A2. Encrypts the prompt code and the session identifier to obtain encrypted information; A3. The encrypted information is sent to the client; A4. The client receives the information; A5. The client selects an encryption key to decrypt the encrypted information; A6. Determines whether the prompt code in the decrypted information is consistent with the prompt code received directly, and if so, obtains Correspond to the session ID and jump to A; otherwise, repeat A5-A6; A. The client generates the original resource URL; B. Combine the session ID and the original resource URL into a new URL; C. Send an access request based on the new URL; D. Judging whether there is a session ID in the new URL, if not, deny access; if so, execute E. Determine whether the session ID in the new URL is consistent with the pre-generated session ID, otherwise deny access. The invention can identify whether the access request is legal, and prevent illegal access to the server from occurring.

Description

technical field [0001] The invention belongs to the communication field, in particular to a method and system for preventing illegal access to a server. Background technique [0002] At present, most of the interactive interfaces between the client and the server are implemented through http, wherein the server provides external access interfaces, and these interfaces provide standard http services. [0003] In the prior art, the process of interaction between the client and the server is as follows: [0004] First, the client generates a resource URL (Uniform Resource Locator, Uniform Resource Locator) to be requested, and sends an http request to the server. [0005] Then, the server receives the request and returns the access result to the client. [0006] Finally, the client parses the access result returned by the server and processes the corresponding business logic. [0007] During the above interaction process, if a malicious client modifies the URL or its paramet...

AI Technical Summary

Problems solved by technology

[0007] In the above interaction process, if a malicious client modifies the URL or its parameters, initiates a malicious request, or a malicious client simulates a normal user to initiate a request, there is a risk of information leakage

In addition, if malicious clients continue to initiate requests, the server will reject normal client requests due to insufficient resources, resulting in the client being unable to obtain the required data, so the server cannot serve normal users

[0008] In order to solve the above problems, the existing method is generally to limit the IP and UserAgent of the client that initiates the request, such as limiting the number of requests that a single IP can initiate within a fixed period of time, or by analyzing the behavior of the IP, put the suspicious IP into Blacklist, IPs in the blacklist are not allowed to make requests

However, this method cannot prevent the behavior of accessing the server by brushing the backend interface with scattered IPs and unfixed requests.