Secure AJAX voting system like Stack Overflow? (SharePoint implementation)

Question

I'm trying to build an app for SharePoint in C# that will have a small component with an upvote/downvote system.

This seems problematic. If I want to make it secure, I use server side code for the voting, but this sounds like a terrible user experience.

With AJAX, the user experience is MUCH better, but you're vulnerable to hacking.

The main vulnerability I see, is assigning a vote to a user. I assume whatever the interface (let's assume Ajax to List) that these will be variables set in JavaScript.

It seems very easy to fire up any JS console in a browser and submit votes for a post/question.

Unless I want to validate every vote against a username on page_load (a lot of extra cycles) I feel like I'm limited to nesting a repeater inside an updatepanel, and handling the voting inside of that function, generating the SPUser identity server side.

Anyone who has used a repeater nested in an update panel with buttons will attest that this is a nightmare :(

What are my alternatives?

Answer 1

The vulnerabilities with using client side variables are always an issue so its best to decrease the possibility of exploitation via server-side involvement.

You could create a function that utilizes a key for creating the vote paramater that is created solely for the current user. If the passed parameter has been modified in any way, i.e. doesn't match the expected output, then reject it. If desired, you could build functionality that blocks specific user(s) from voting if they have exceeded the threshold for malformed requests.

You could then determine on submission if the current user has already voted on the corresponding item to prevent duplicate votes, although I would prevent the user from being able to vote in the first place for a better UX.