Server-Side Javascript Check

From Dawn of the Geeks

Sites that rely on ad revenue to survive are unfortunatly at a seeming disadvantage. The code used to display the ads can be disabled on the client side without being detected by the server.

This is actually not true. This page will describe a method for allowing the server to verify that javascript is enabled on the client's side or that an ad has been displayed. If the script is not run or the ad is not shown, subsequent page views can be denied until the user enables what needs to be enabled.

This method requires a server side scripting language and a database.

For the sake of this paper we'll use PHP and MySQL. Substitute PHP and MySQL for whatever server side scripting language and database you use.

Every page must allow PHP and will need the following code. dot.gif is a 1x1 transparent gif that the browser renders by default.

<script language="JavaScript" type="text/javascript">

function check()
{
document.somename.src='setjs.php';
}

</script>

<body onLoad="javascript:check();">
<img src="dot.gif" name = "somename" width=1 height=1 border=0>

<?
	include "ipcheck.php";
	if(!checkip())
		exit("you must have javascript enabled to browse this site.");			
?>

... 

the rest of the page

setjs.php needs the following code to generate the image for the browser

<?
	// return a valid 1x1 image to the browser
	// Date in the past
	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

	// always modified
	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

	// HTTP/1.1
	header("Cache-Control: no-store, no-cache, must-revalidate");
	header("Cache-Control: post-check=0, pre-check=0", false);

	// HTTP/1.0
	header("Pragma: no-cache");
	Header("Content-type: image/png");

	$im = ImageCreateTrueColor(1,1);

	Imagejpeg($im);
	ImageDestroy($im);
?>

This will cause the files to return a valid image that the browser can display so a broken image doesn't display to the user.

However, in ipcheck.php, the checkip function will connect to the database and see if the IP has requested a page from the server before. If not, the script will add the IP to the database, set the number of hits to 1 and set the Javascript flag to 0. It will also put the timestamp in the database. The script will then return true and the browser will continue rendering the page. However, if the IP is in the database and shows a hit > 1 with a recent timestamp but the Javascript flag is 0, the script will return false and the page only display the 1x1 test image so that the user can activate javascript and refresh the page to be allowed to access the site.

Setting the flag back to 0 after a successful pageview with javascript enabled will require the ability for the client to display javascript to be revalidated. This prevents the user from allowing javascript on the first hit and then disabling it for the rest of the visit to the site.

The sequence of events

checkip(): 
	if IP is not yet logged or timestamp > 30 minutes
		timestamp logged
		javascript flag defaulted to 1;
		hits set to 1; 
		return true;
	else
		if(javascript flag == hits)
			hits++;
			return true;
		else
			return false;
		end if
	end if
		
	
setjs.php: 
	javascript flag++;
		

The net result is that every 30 minutes the user will get a "free" page. All pages in between must have javascript enabled. The checkip counts the number of hits and the setjs.php image script counts the successful image views. If the hits and image views are not equal then javascript is not enabled and the user can then be denied access to the site.