up vote 4 down vote favorite
4
share [fb]

I wanted to make a multiplayer game that runs in the browser, and a friend of mine suggested that I should choose JavaScript as the main language. I already made a lot (registering, logging in, half of the gameplay, multiplayer part). But now I'm having seconds thoughts, was that a good idea? Can someone just change a few things in my code and hack the game, or is it avoidable on the server-side?

And if anyone has some software that could help me test my security that would be great (maybe some debuggers that can change variables during run-time).

Game description, as requested: I't a mix between a MMO RPG and an RTS game. That means that players actively contribute to the world building. The basic idea is that the client tells the server what he is doin (pressing a key, typing something into chat) and the the server broadcasts that message to everyone else. I know what I have to do now, thanks!

link|improve this question
100% accept rate
I'm curious: what mechanism do you use for the client to talk to the server, and what's the latency like? What platform are you using for the server? – Will Sep 9 at 13:55
The server is running on my netbook which runs Ubuntu Linux, and it is written in server-side JavaScript, which runs using node.js. – Bane Sep 9 at 14:04
feedback

4 Answers

up vote 6 down vote accepted

It's fine if:

  1. The server doesn't send any information about players behind local player's field of view (must be calculated serverside) to the local player (to prevent wallhacking).
  2. All actions are checked for availability on server when a player presses action button.
  3. You only render on client - all actions are done on server and only predicted on client.
  4. All timed actions are serverside.
link|improve this answer
Yes, I am doing these things. – Bane Sep 9 at 13:14
7  
Please notice that these instructions are valid for every multiplayer game, regardless of language, platform or whatever. – Lohoris Sep 9 at 14:38
feedback
up vote 1 down vote

Changing Javascript variables is pretty easy to do with tools like Firebug (for firefox) or the build in dev tools of Safari/Chrome. You can simply type in javascript in the console and it'll get executed. As a simple rule, do not rely on the client side for security. Apart from that, with the introduction of the HTML5 canvas element, javascript offers you some real possibilities for simple games (There is a full javascript/html5 version of Angry Birds for instance).

link|improve this answer
feedback
up vote 10 down vote

Whether or not your game is a good fit for JavaScript development depends on the game. You didn't describe your game, so there's no way for us to answer the question in the title.

However I can say that your hacking concern is not a problem here. Not because JavaScript can't be hacked (it can, and easily) but so can every other client-side technology. One of the basic tenets of multiplayer game development is "never trust the client". Design your game in such a way that anything you need to protect from hacking is running on the server, because the client will be hacked. This means only send UI commands from the client (eg. "the player clicked the Bomb button") and calculate the results of player actions on the server. Then the server sends back to the client the results of those actions.

Since no matter what technology you relied on you should design your game with the assumption that the client-side component will be hacked, the hackability of JavaScript isn't a consideration when deciding whether or not to use JavaScript.

link|improve this answer
Thanks a lot. I will edit my post and describe the game now. – Bane Sep 5 at 20:04
2  
never never never never never trust the client, whether its javascript or something else! – espais Sep 5 at 21:10
1  
While all game clients are indeed hackable, some are more hackable than others. – Jonathan Connell Sep 6 at 13:32
2  
That is true, but the distinction is irrelevant. When designing the security for your game, what does it matter if option A is harder to hack than option B if they will both be hacked? – jhocking Sep 6 at 17:26
feedback
up vote 2 down vote

People can change the client code in order to cheat, that is a problem for any multiplayer game. If reaction speed or speedy solving of mathematical tasks is a part of the game you can't completely prevent cheating.

For any other game element you must ensure that the client won't and can't obtain information that is supposed to be hidden to the player. And of course the server must validate that every action taken by a player is legal.

The greatest problem I see in JavaScript games is that a lot of browsers have a tendency to stutter, especially Firefox was pretty bad last time I checked. For this reason JavaScript is not a good choice for timing-sensitive gameplay. But for turn-based or at least slow-paced games JavaScript can work quite well.

link|improve this answer
feedback

Your Answer

 
or
required, but never shown

Not the answer you're looking for? Browse other questions tagged or ask your own question.