I'm currently building a little mini game collection web app, with Fat Free Framework in the Backend (which shouldn't matter too much here).
Now in the games, you can also reach highscores - sending the highscores after finish currently looks something like that:
$.ajax({
"url": "/submitHighscore",
"type": "post",
"data": {
"game": "Tetris",
"score": player.score
}
});
Then, at the /submitHighscore route, I'm receiving that request and enter the info to the database. Now right now, somebody could just intercept that request and change the game and score to enter the database with a different score and game, which is not too great.
My idea I already had was just storing those two things in the session variable, so just set a session with a name of gamePlaying to the current game (once they start it) and just set the session var for the points right before sending the highscore.. That way, I don't need to pass any parameters at all and it's all stored in the session.
I'm however not sure, if it's the best solution - would also include quite some code rewriting.
Do you have a better idea to prevent the manipulation of the POST request?