in reply to Re^4: A question about web service security
in thread A question about web service security
Of course not. Anybody can always send anything. You can either make sure nothing they can send can be a lie (by not letting them say various things), or accept that your results are full of lies.
In this case, it sounds well backward that you're somehow letting the client tell you "+/- X refos" rather than "task X completed". But of course how can you be sure that the task is actually completed? Only by calculating it on trusted code (i.e., the server).
That doesn't mean you have to do it real-time, and it doesn't mean it has to be synchronous either. You could do it on the client, and then at the end roll up all the "things the user did" and send them to the server to double-check. Or send stuff as you go along, but assume it's correct before waiting for the server's response, and only rolling back if the server tells you "no, you're lying".
But no matter what you do, you can't get around the law:
Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this.
Anything code you're running on the user's machine knows, the user knows. Anything it can send to you, the user can send to you, whenever and however often they want. You can try to make it "not worth their time" to do so, but unless you do it by "making nobody care about the results" (which is generally not what you want ;), it's an arms race you're going to lose.