I'm not aware of any way that a js like this could be cheated ...
Are you ? | [reply] |
Ignoring it.
If you put in the page a js that detect the time interval between get and post, it must pass its result as a post parameter.
If I decide to cheat, I can make a post setting the value to anything I like.
You can use javascript, cookies, anything you want but in the end the server sees only what I pass it in the post...
This is the fundamental reason against the use of client-side only validation of data: one can always bypass them.
A working strategy could be to assign (server-side) an unique identifier to every get of every page, store it in a db along with a timestamp, and compute the interval (server-side) between the post time and the get stored timestamp. This is certainly possible, but would be an enormous overhead
And, last but not least, cui prodest?
Update: bootnote: I don't think that the idea in itself is good: most of my (few) downvotes are to badly formatted and incomprehensible questions. You don't need (and don't want to spend) much time to decide that a question saying "HELP!!! MY PROGRAM DOESN'T WORK!!!!!" doesn't deserve an answer...
Careful with that hash Eugene.
| [reply]
[d/l]
[select] |
so it seems that there are methods to prohibit cheating.
| [reply] |
MY PROGRAM DOESN'T WORK, TOO!!!!
Please send the codez :-D
| [reply]
[d/l] |
In principle you can't rely on anything that comes from the client. A javascript is useless in such a context unless it sends something to the server. That can easily be intercepted or modified.
There are a myriad of other possibilities to manipulate javscript - for example you can override some behaviour with costum js (via greaksmonkey), automatically patch it on downloading, fiddling with the js interpreter etc.
Remeber, perlmonks is regularly used by geeks who know very well how to deal with web technology. Just because you can't cheat something doesn't mean it can't be cheated at all.
| [reply] |
| [reply] |
