0

I need to encrypt a string at client side and send it to the server. Once there I need to decrypt it.

Is the Using Password-Based Encryption the best solution?

I need it because I have a voting mechanism, where I send ajax posts to vote an entry. This mechanism use the Facebook id from the current user. My goal is to encrypt the FB id from client side to avoid that they hack it by sending requests with differents ids. If a second post with the same id is sent I will block the vote.

Once the id is decrypted I will check if it is a real FB user using the graph.

4

3 回答 3

3

Javascript 加密在这里无济于事。任何优秀的侦探/黑客都可以看到它是如何在客户端上完成的,并查看数据在加密之前是什么,并查看它是如何加密的。

防止用户多次投票的唯一方法是将投票绑定到您既可以在服务器上验证的帐户或令牌,也可以绑定到特定用户,这对于用户来说不容易创建许多不同的帐户. 一般来说,您可能无法完全阻止这种情况,但是您可以通过使其需要足够的步骤(包括某种验证码,使其无法自动化)来制造足够多的麻烦,以至于大多数人都不会这样做。

SSL 将保护客户端/服务器通信,但不会做任何事情来阻止客户端做您不希望他们做的事情。

于 2013-10-10T04:22:24.647 回答
0

正如您已经被告知的那样,“加密”在这里没有任何意义(因为可以在加密之前操纵客户端加密的值),SSL当然也不能解决这个问题。

而是将用户的访问令牌发送到服务器。然后使用/me

于 2013-10-10T07:01:18.863 回答
0

Considering that there is no authentication an HTTP fingerprint can be used to check if requests with different userId come from the same user.

Fingerprint will be create from HTTP request data like:

-user agent
-language
-IP
-charset

and other data present in the http request.

于 2013-10-15T03:57:38.750 回答