How to Check Authenticity of an AJAX Request

Question

I am designing a web site in which users solve puzzles as quickly as they can. JavaScript is used to time each puzzle, and the number of milliseconds is sent to the server via A

Answer 1

-- Edit:

This solution is somewhat flawed, as pointed out by ZoFrex below.

-- Old:

Here is a way (but you'll need to do some profiling).

Send down a series of "problems" for the JavaScript to solve, while they are playing the puzzle. Previously, I've sufficiently-sized number N such that it is the result of: prime1 * prime2. This forces the client to factor the number (you can get code to do this in JavaScript) and this will take time (this is where profiling clients comes in, and sending down appropriately-sized primes [obviously, this opens you to degradation-attacks, but nevertheless]).

Then, you just send down say, 500, of these prime-problems (or another type), and let the JavaScript solve them in the background. It will generate a list of solutions, and when you send the completed value, you also send this list. From the total count of answers supplied, you can determine how long they spent on the puzzle.

Cons:

• Requires profiling to determine capabilities of various clients (and hence difficulty of problems)
• Can be downgrade-attacked
• Slightly complicated
• JavaScript computation may interrupt general puzzle-solving
• Possible to write a bot to get solve problems faster than JS

Pros:

• Calculations must be done in order to submit the form
• If implemented correctly, will prevent all but non-trivial attacks

Clearly, it's attackable, (all proposed answers are), but I think it's reasonable. At least, it would be fun to work on :)

In the end, though, you need to actually install a client-side system with a bit more security. And do note that Flash certainly is not this; it's trivial to decompile. Infact, there was an IQ test here in Australia once, and it was controlled via a Flash app that was done LIVE on television. Of course, the winner was a computer programmer, I wonder why :P

-- Edit:

OP, Also, I linked it in a comment to this post, but just incase you miss it, you are kind of interested in the Hashcash, which is the aim to show that a client has completed some amount of 'Work'. Even if my implementation isn't suitable, you may find a review of that field fruitful.