Users on my website can click on a button. If they do, they will get a points reward.
This button, when clicked, is making an AJAX call to the server to give the reward (stored in database).
The button is a “make a tweet” button, so I want to make sure they really do their tweet thing.
My problem is I want to make sure that the button really has been clicked. Since the javascript code is entirely visible by the users, I guess it would be easy for them to just make the AJAX call without clicking on it.
So, anything I can do ? Is obfuscation my only option, or can I encrypt something, or use token or something ?
If it may help, users are logged in and pages are served with PHP.
Thanks
Basically you are out of luck – there is no foolproof solution that will prevent someone from writing a simple script that downloads the page, parses it for any security tokens and then calls the AJAX request.
You can only make the job slightly harder by adding some additional data that is rendered by the server and submitted back via AJAX call.
You might look into adding a CAPTCHA image to the button – this would prevent the bots from submitting data but also would make the life of the real user harder.