I want to design a 'like/dislike' system for my webapp.I'm thinking about something like 'http://mywebapp/like/'.If user makes an ajax call to the already mentioned url.It will like the item on the behalf of the user. So,is there any security flaw in my idea? [EDIT 1] Can a malicious user make ajax calls and have his/her vote counted?If yes then what can I do to prevent it?
Asked
Active
Viewed 173 times
1 Answers
1
From the small amount of detail you've given it's hard to make a judgement however if your authentication system is structurally sound and you're routing the like to a specific entity correctly i.e if it's on the page then it simply uses the referring url to get the item to like then this could work quite well and at this point if, hypothetically, all of your code is perfect then you shouldn't have any security flaws that are from this idea so far.
For future reference, try to be alot more specific and especially in these kinds of questions, detail is a firm necessity. It is impossible to say how secure something is before it has been created.
Michael Zaporozhets
- 23,588
- 3
- 30
- 47
-
Is there any way I can check the referring url(point where ajax call originated from)? – Rajat Saxena Sep 08 '12 at 11:20
-
yep, in php: `$_SERVER['HTTP_REFERER'];` however this is unreliable, take a look at this though http://stackoverflow.com/questions/1864583/get-original-url-referer-with-php – Michael Zaporozhets Sep 08 '12 at 11:27
-
Yes, it's the referrer HTTP header, and no, it is not reliable. The only people that use this info are for statistics, not code. – Christian Sep 08 '12 at 11:27
-
So how can I check that an ajax call originated from a legitimate page? – Rajat Saxena Sep 08 '12 at 11:29