in the former explanation, the thing that is missing is how can your action be aware of a "malicious" POST or a valid one. Since you have an hard requirement on no authentication, I don't see anything that would make your counters "solid". The next best thing to do is to "salt" whatever variable you find more suitable in the javascript piece and verify that the "salted variable" matches when you receive that POST. Kinda of an "expiring" link that serves no longer if the POST comes, let's say, a minute after the javascript piece has been generated. That won't be a silver-bullet but it'll stop the easiest "malicious" from screwing with your counters.
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
