Jump to content

Need good ideas regarding security on single page


xwishmasterx

Recommended Posts

Hello

 

I am having problems setting some security to a prize page on my website.

What I need, is to make sure that a user cannot just refresh and get the price again.

The price page is loaded in a frame so redirection is no good, and that doesn't stop the user from just hitting the "back" button and then refresh.

 

 

Anyone have an idea how to do this the simple way?

Link to comment
Share on other sites

You could put a cookie on the machine (one that does not expire) and then use that.

 

the only problem that would present is if someone cleared out their cache, then they could then, again, gain access.

 

IP address, is not reliable due to some ISP's issuing dynamic IP addresses.  Meaning the IP address is only reliable for 24hrs(ish).

 

I'd be tempted to look into ways of getting the computers MAC address using Java (not javascript) or flash.  That (to me) would be the only sure fire way of keeping them out.

Link to comment
Share on other sites

my answer was based on the OP asking for 'a simple way'.

 

whats the stake here? is it just to stop the standard user from refreshing twice, or is it total lock down?

 

doing it by ip/cookie/session would be the simplest, but anyone with slight knowledge would find a way...

 

if its really important, 'a simple way' wont cut it.

Link to comment
Share on other sites

If you're looking for a simple way of simply stopping users from refreshing to win a prize, IP address is the only suitable option. Flappy has already mentioned the obvious flaw with this solution but there's no solution (that I can think of, anyway) that's both simple and able to stop people abusing it.

 

If you was to choose the IP address, you'd need a database to store the IP addresses of those that have already claimed/won their prize. Unfortunately, saving it in the session - as JKG suggests originally - would not work, not at all. He is right, however, when he says that a simple way will not stop people abusing it, you'll always get the select few that will find a way.

Link to comment
Share on other sites

its not that hard though. make sure that all prizes have an id. store that ID into the db. on the prize page, the script checks for which prize that is not yet claimed. then only displays the unclaimed prize. on the claim page, the user clicks claim and the db stores the user info and the prize id thus it cannot be seen again.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.