up vote 4 down vote favorite
Share on Facebook

Suppose I am doing a JavaScript game, and I wish the game to update the server if the user has successfully completes the game and his outcome.

How should I ensure that the request came from the JavaScript game, and that the data sent has not been tampered with. I am using PHP as the server-side language.

I do understand that no strategies are going to be 100% fool-proof, and any measures taken is more of a deterrence than absolute protection.

On Edit: Let's supposed we're not using server verification of each user's step (as in a traditional MMO). The game could be a mini-game as part of a web game or educational game (space invaders or a real-time game, for example) and requiring a server-side component for each of those games could be tedious.

Example: Supposed, when the game is completed, a request is sent to the server via. AJAX 

game_finished.php?user_id=1&outcome=success&score=88

A user could 'fake' the server in believing that the game has been completed correctly by sending that request to game_finished.php. How could this be made more difficult?

link|flag
100% accept rate

3 Answers

up vote 6 down vote accepted

a sliding block puzzle, for example

This is an example where server-side verification is trivial. It doesn't need to verify each step until the game is over. Just send the entire move list, and the server replays it to make sure it's correct.

(Edit: The point of this answer isn't to pick on examples until you find one that isn't trivially validatable. Rather, it should make you go back and look at the game you're actually making - it's probably trivially validatable, or only needs a small tweak to be.)

link|flag
I was thinking over the example and it isn't the best of examples. Let's say Space Invaders then. I will update the question. – Extrakun Oct 26 at 16:56
1  
The movement of Space Invaders is also totally deterministic, though. You just need to record when each shot/hit pair occurs, simulate movement up to that time (which is a simple linear equation), and make sure it was actually a hit. – Joe Wreschnig Oct 26 at 17:00
I finally got what you mean after thinking it through. Thanks – Extrakun Oct 26 at 17:14
up vote 0 down vote

You could make it more different by sending a hash of the data and some secret key back to whatever is doing the authorization. If the data matches the remade hash on the back-end you could have a reasonable amount of belief that it has not been tampered with.

link|flag
As it is JavaScript, it may be easy to get the key (stored within the JavaScript) using Firebug; if the code is obfuscated or minimized it would be harder. – Extrakun Oct 26 at 16:32
Ah, the entire game is played as Javascript. Don't know how I missed that. PHP is just the backend. I'll have to think some more. – Noctrine Oct 26 at 16:42
+1 for hash technique, though this doesn't answer OP's question – Avinash Oct 26 at 17:36
up vote -1 down vote

There are many methods, but all of them will fail eventually. You can add some hash value, or query key renewed with every query.

But the most important thing is, that all of your super encoding functions are send as source codes to clients' browser and that is THE problem. To make it little harder, you can use function send by Ajax query, so sources won't be available under an url. Function should be send compressed, and maybe even in parts, so it will be harder to copy it all. I would also check this code in page like http://jsbeautifier.org/ if after making it readable your code is easy to understand.

link|flag

Your Answer

 
or
never shown

Not the answer you're looking for? Browse other questions tagged or ask your own question.