Securing vote buttons like in stackoverflow
Question
How Do i secure vote buttons in server-side like here on Stackoverflow? I've seen how the button can be submitted in this answer , But how about in the server side, how do I protect the voting system from csrf attacks and such?
5 answers
solution1
4 ACCPTED 2012-02-11 11:11:18
bots generally doesn't run javascript, so just check on server side if it was an AJAX call.
If you want to be more protected maybe append a param generated automatically by javascript with some calc based on current time, then check on your server if it's match with the same calc
solution2
2 2012-02-11 11:20:11
A widely accepted way to protect from CSRF is to use a nonce. When the button is clicked and a request is submitted via AJAX or POST data, a nonce value is passed along with it. That nonce is then verified on the backend. You can have that nonce value stored in the session upon generation, possibly using hashing / salting so that the nonce can be specific to a certain action, ie 'vote-up', 'vote-down', etc.
solution3
1 2012-02-11 11:12:11
The easiest and most effective way is probably to require all users who desire to vote to signup, so that you can keep track of who is voting on each post. As soon as you know who every voter is, you save the user id along with every vote, then you can easily validate that the users hasn't previously voted on a specific question.
Then of course you have to protect your sign up form, to make sure that bots can't register, but that can be done using reCAPTCHA and other similar methods. You will probably also try to limit the users from registering for more than one account. That is of course tricky, but you can at least start of by requiring unique email-addresses for every account, or make use of some third part authentication like Google, Facebook etc.
If you don't want to require sign up, then I guess you have to fallback on registering the IP-address of every vote, but going down that road is trickier. Bots will probably use a whole range of IP-addresses, and you might ending up blocking votes from different users who happens to share the same IP - which can be really annoying.
solution4
1 2012-02-11 11:15:33
Put a unique id in the GET query portion of each arrow link. That way the attacker / spoofer cannot know to which address to direct the CSRF attack.
solution5
0 2012-02-11 11:12:21
您可以要求登录,甚至可以使用openid。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.