Tricky problem

[Nick]

I have the need to return some data back to the server when a Submit button
is pressed on a web page. However I dont want anybody to know about the
mechanism for sending the data back, becase it could be open to abuse. For
example, if I do some javascript on the submit button, which gets this
"seceret" information and munges it onto the Action property of a Form tag,
anyone with a basic understanding of javascript would be able to work out
how to spoof my site.

While the user is viewing a certain web page, they click certain things and
this is to be tracked and returned to the server. However this is a kind of
betting site, and it is important I circumvent any abilities to cheat.
Seeing how data is submitted would be one way people could learn to cheat.
One idea I had was to include a flash object, and talk to the flash object.
Then when submit is invoked, get the data out and send. But this idea fails
because at the submit point, I still have to get the data out and munge it
for sending, which is no different from above really.

Does anyone have any idea on how I could solve this problem?

 

[Juno]

Hi,

On client side, you can hide nothing if you use html or javascript.
So you can write activeX or winform'dll ,and then embed them to web page by
<object....>.
Use thses objects to communicate with server directly without submitting the
page.

 

[Nick]

Juno thanks...I hadnt thought of using a winform dll - does this mean I can
somehow get the winform dll loaded clientside automatically?

 

[Rocky Moore]

Of course, every client would have to have .NET installed to use a
winform.dll... And even if they do, they could use a decomipler and still
find out what is going on. The same goes for flash or virtually any other
client side solution. It is best to figure a method to keep opperations on
the server side if at all possible.

You said it was a betting type site, if their is money involved, you could
open yourself to problems if you depend on the client side for anything.

--
Rocky Moore
www.HintsAndTips.com / Share your tips - Earn rewards
www.MyQuickPoll.com / 2004 Election poll ID #33
www.GotTheAnswerToSpam.com / Block virtually all spam email
www.RJSoft.com/Products/RJContentPanel/ - Free web user template content
control!

 

[Lau Lei Cheong]

If you only concern about the idea of spoofing, maybe use https with an
ActiveX component will do the job.

From my understanding using https alone will greatly increase the trouble
for someone to spoof on your website.

 

[Nick]

Of course, every client would have to have .NET installed to use a
winform.dll... And even if they do, they could use a decomipler and still
find out what is going on. The same goes for flash or virtually any other
client side solution. It is best to figure a method to keep opperations on
the server side if at all possible.

Didnt realise you can decompile flash if it is a swf file?

You said it was a betting type site, if their is money involved, you could
open yourself to problems if you depend on the client side for anything.

A colleague has mentioned using a Java applet for the main security related
aspects. Could be a better idea.