This is probably a very basic/introductory thing, but let me paint a scenario:
Let’s say I’m using jQuery to do some sort of mini quiz game on my site. The user clicks the correct answer, and then a window pops up with a secret “winner’s code” that they can redeem elsewhere.
How can I generate the winner’s code so that it doesn’t just appear in the HTML and in a way that users cannot reverse-engineer it (at least without considerable effort)?
I mean, if I just generated an encoded string containing their username and some sort of additional information only I know, that would work, right? Or MD5 hash or something, but how do I make it so the winner’s code itself doesn’t appear in the HTML, and only when the correct answer is chosen?
Thank you for any suggested reading/tutorials/assistance/advice you can offer.
There are a couple of questions there.
1) How to generate a secure code:
if you are implementing a ‘winner code’ you could use an hashed iv + secret + user information, or some signing mechanism. You could also implement a code expiry time on the server so that you could further raise the bar, if necessary.
2) Getting the code to the winning user:
If you don’t want the code to appear in the html, then you want to use ajax to get it. Then inject the code into the DOM where you want to display it. Further, you should be using a secure SSL channel to do this so that you guard against sniffing. Even further, consider some kind of ‘one-time’ token so that a man-in-the-middle cannot repost your code request and receive the same win code.
Hope this gives you something to consider.