Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing the User from posting fake AJAX requests (Ensure AJAX requests only come from app)

I'm working on a web app where certain actions earn a user 'karma'. The karma increment is a simple AJAX request that increments a number in the DB. Now whats to prevent a user from making duplicate AJAX requests manually and increment their own score again and again?

Edit: The activity that earns the user karma is all happening client-side using javascript. So there is no way for the server to know if its a 'real' request coming from the app or a 'fake' request created by the user typing $.post on the console.

Edit2: Found a similar SO question dealing with this problem. Sounds like the answer is, security by obfuscation is the best bet. Guaranteed security is not possible. So any suggestions for encryption tools etc. that would make the content of the AJAX calls harder to read would be appreciated.

like image 284
udit Avatar asked Jul 12 '12 14:07

udit


1 Answers

Rather than trying to stop people from cheating, you should focus on minimising the adverse effect that cheaters will have on non-cheaters:

If karma is being used as a 'high score' and you're worried about the user earning karma faster than they should then consider keeping a timestamp of the last time they earned karma and reject a request if it's too soon, and/or set a daily limit on karma earned so they can't automate the process when they're not at the keyboard.

If the action that earns karma for a user also has an effect on other users then it should be one ajax call that triggers both effects.

like image 173
DaveMongoose Avatar answered Nov 03 '22 07:11

DaveMongoose