Okay firstly I have a question that question being - Can people view what posts are being sent? For example, in a flash game when a POST is made to a web page, is there any way a user can view that POST's data?
If they can then my original idea of posting a password wouldn't work. But I didn't think a password would be that efficient anyway.
So.. what's the best way to make it so source A can only post to source B.
I hope you can understand what I'm trying to achieve here.
[...] is there any way a user can view that POST's data?
Yes. The user can inspect what is sent from his computer.
If you for instance have a game and want to submit some high score, then there is basically no way to make sure that the user doesn't perform hand-crafted posts with arbitrary score.
So.. what's the best way to make it so source A can only post to source B.
Not sure what you mean by this, but if you want to make sure that only posts from a specific client are processed by the server, then I believe you should simply establish a session using for instance cookies.
If you're facing the scenario where you have to for instance submit a highscore you have a few options:
You could apply some cipher on the data being sent. This won't stop any one trying to hack the game and submit arbitrary scores since he can always look at the code, and figure out how to create these cipher texts himself. You can make this process harder by obfuscating the code, but there's basically no way to be 100% secure.
You can monitor every action in the game and verify that the final score is the result of a valid game-play on the server. The user would then have to hand-craft a complete legal game play in order to fake a score.
You can do the above, but record all actions in the game, and do a "post-game check" on the server side and verify that the final score is the result of a valid game.
You say it's very critical. In that case you're either out of luck, or there is some application specific feature you can exploit to work around it.
