Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Maxon2014-11-06 18:07:24
PHP
Maxon, 2014-11-06 18:07:24

How to protect voting from session spoofing?

Problem:
There is a vote, several answers randomly appear on the page. There are a lot of them in the database. These options are constantly changing and each has its own identifier. An md5 hash is written to the session, formed from the options displayed on the page + salt. When sending data to the server, the script receives all these IDs, generates a hash from them and compares them with those recorded in the session. Those. a simple substitution of ID when sending data to the server will not work. But, theoretically, an attacker can remember all the ids from the last vote, remember what hash was issued with them, and the next time the page is updated, change all these ids and change the hash in the session, so that the vote will again be verified.
Question:
How can you protect yourself from this? Do not offer authorization, voting is open to everyone. I thought to save some additional Inca in cookies, but again, you can change everything. Or can somehow make a dynamic hash? So that it always turns out different? And what is the best way to do it? In general, I'm looking for advice.
Thanks in advance!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
X
xmoonlight, 2014-11-06
@xmoonlight

Through the Flash application, you generate a hash (your key, session, IP, capabilites , etc.) and check it on the server.
You can decompile, of course, but there will be fewer false positives and "cheating" votes.

an attacker can remember all IDs from the last vote
you form a unique ID and a hash for each vote and there are no problems.
Extra!: IP+DNS voter blocking - should help.

Report
N
Nikita Roschenko, 2014-11-06
@Avillions

He will not be able to change the hash in the session, at most change the session id to another user, just check the data that came to you (make a unique name in each checkbox) from the page with those stored in the session (even if the same unique names or their hash) , if they match, write down the result, if not, then no. But always remove data from session after validation.

Report
O
OlegLazarenko, 2014-11-06
@OlegLazarenko

will change all these IDs and change the hash in the session
I understand correctly, you have a hash in $_SESSION? How can the user change it?

Report
A
Alex, 2014-11-07
@shoomyst

Yes, nothing will help you. If someone wants to cheat the vote, he will do it so that you do not invent there. The only more or less option is binding to IP, tk. it is theoretically the most difficult to change, all other values ​​are easily faked in queries.
Just look at all the headers and parameters in the request and think how easy it is to change one or the other to make the user look like new/old

Similar questions
N
nickostyle2014-04-22 13:05:16
Is it possible to repost from social networks to the site? 9Reply
B
bio2015-03-31 04:08:43
How to make a soap xml parser? 2Reply
S
Sergey Buben2016-06-16 11:37:54
How to add a second price in VirtueMart in Joomla? 3Reply
A
Arman2016-06-20 12:13:23
How to convert degrees to coordinates? 5Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question