Preventing $.POST hijack
- by Jamie
I'm currently building a facebook application. Lets say I have a variable $uid that identifies the user so I can store this in my database along with their submitted data.
I pass $uid and $data via json encoded values using $.post. However, this doesn't prevent someone changing $uid to save data as someone else.
I have been thinking about how to overcome this, so far I haven't found a solution apart from:
create database with $uid $secretkey on first page load. When $.post send $secretkey with the post and then retrieve the $uid from the database.
Would this be the correct approach to use?