使用Facebook Connect和HTTP请求打破应用程序[关闭]

I have a voting app built on PHP that takes Facebook logins (uses PHP SDK). You need to connect with your Facebook account to vote. We decided to use Facebook logins to prevent vote frauds.

After logging in with the Facebook account, this is what happens:

  • The login page has the hidden variables- userId, accessToken, name, email, gender, location, hometown, and link to the user profile - all of which are returned from the Facebook login.
  • The user chooses an option in the poll and then the app records his choice along with his identification details (listed in the first point).

Now, here lies the problem. I can simulate an HTTP request with fake identification details and the app still thinks it's a legitimate request and so, records the vote. So, someone can set up a script to generate random identification details, send them over HTTP requests ultimately leading to a lot of fraud votes.

Maybe, after the poll closes, we can test with the profile URLs to see whether the profiles exist or not but again, two issues here:

  • The intruder may use a list of valid user profile urls to create the fraud votes. If he does, we have no idea to find whether the vote was fraud or not.
  • Isn't it a better idea to prevent fraud votes than sort out later?

So, is there a way to allow only legitimate logins through the app? Something like a test before recording the vote.

I guess, a CAPTCHA can help but that will interfere with a quick vote experience we want our users to have.

Thank You!

Putting that stuff in the form, and doing nothing else is not the way to do this.

How this should work:

  1. User authenticates with FB.
  2. You use $uid = $facebook->getUser(); to get the userid for the user who has just logged in. If it is 0, the login failed.
  3. Store the uid in the user's session.
  4. Let them vote.
  5. When the vote comes in, pull the uid out of the session. Ensure it is non-zero, ensure they have not voted before (if that is a restriction) and add their vote.

EDIT
Since I am not fully aware of the various methods available by the FB API, I would defer to @Igy on this (see his comment about retrieving an access token to verify the account). Though, I don't know what ability the user would have to be able to fake an account id returned by the API.