Answer the question
In order to leave comments, you need to log in
How to protect voting from session spoofing?
Problem:
There is a vote, several answers randomly appear on the page. There are a lot of them in the database. These options are constantly changing and each has its own identifier. An md5 hash is written to the session, formed from the options displayed on the page + salt. When sending data to the server, the script receives all these IDs, generates a hash from them and compares them with those recorded in the session. Those. a simple substitution of ID when sending data to the server will not work. But, theoretically, an attacker can remember all the ids from the last vote, remember what hash was issued with them, and the next time the page is updated, change all these ids and change the hash in the session, so that the vote will again be verified.
Question:
How can you protect yourself from this? Do not offer authorization, voting is open to everyone. I thought to save some additional Inca in cookies, but again, you can change everything. Or can somehow make a dynamic hash? So that it always turns out different? And what is the best way to do it? In general, I'm looking for advice.
Thanks in advance!
Answer the question
In order to leave comments, you need to log in
Through the Flash application, you generate a hash (your key, session, IP, capabilites , etc.) and check it on the server.
You can decompile, of course, but there will be fewer false positives and "cheating" votes.
an attacker can remember all IDs from the last voteyou form a unique ID and a hash for each vote and there are no problems.
He will not be able to change the hash in the session, at most change the session id to another user, just check the data that came to you (make a unique name in each checkbox) from the page with those stored in the session (even if the same unique names or their hash) , if they match, write down the result, if not, then no. But always remove data from session after validation.
will change all these IDs and change the hash in the sessionI understand correctly, you have a hash in $_SESSION? How can the user change it?
Yes, nothing will help you. If someone wants to cheat the vote, he will do it so that you do not invent there. The only more or less option is binding to IP, tk. it is theoretically the most difficult to change, all other values are easily faked in queries.
Just look at all the headers and parameters in the request and think how easy it is to change one or the other to make the user look like new/old
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question