1

I'm creating a canvas-based game that has an important timing element to it. Upon completion of the game, the user's completion time is to be sent to PHP/MySQL on the server for comparison with other players.

Server-side timing (i.e. begin request time to submit request time) seems like it could introduce load times as affecting the user's actual time and therefore inefficient in this case.

What I'm having trouble with is determining a way to assure that the time sent is legitimate. How can I stop someone from using their console and editing the client-side code in such a way as to submit a false time?

Any help would be greatly appreciated.

Delford Chaffin
  • 623
  • 7
  • 23

4 Answers4

8

You can't. Never trust the client. Every request to your server could be spoofed.

Bergi
  • 630,263
  • 148
  • 957
  • 1,375
  • 1
    I would up-rate this 20 times if I could. – GarethL Oct 12 '12 at 14:43
  • I've seen such game-score spoofing in action where users were trying to piggyback or fake ajax calls to servers to record scores/times - BEWARE! – nickhar Oct 12 '12 at 14:44
  • I've seen my typing WPM go to 12000 (and stacked) because of a sluggish browser. – vol7ron Oct 12 '12 at 14:48
  • OK ... So it is becoming clear that client-side timing simply won't be secure. I know the mantra about not trusting the client - that is what is causing my struggle in the first place. :-) So, if I do move all timing to the server and just deal with it, here is a follow-up question. The game obviously needs to be completed before submitting it. As the game puzzle is all Javascript, this introduces the problem of manipulating the client-side code to fake the completion of the game. I've created game JS code in a separate class file. If I instantiate the game as such: var game; – Delford Chaffin Oct 12 '12 at 15:26
  • I think you should ask your follow-up separately, or at least [edit your question](http://stackoverflow.com/posts/12861419/edit). Especially code is awful to read in comments – Bergi Oct 12 '12 at 15:28
  • Thanks ... I stepped away a bit and just noticed it didn't get my whole comment. Will post new question. – Delford Chaffin Oct 12 '12 at 17:48
  • Follow-up question here: http://stackoverflow.com/questions/12864537/javascript-security-concern – Delford Chaffin Oct 12 '12 at 17:54
1

You cannot. Simply.

There clock may be running slow, they could change the date/time between start and finish.

I have worked on a project where we slowed down the clock to observe some behaviour.

So do NOT trust the client. Rely on your clock. That is the one that you have control over.

(Think about this - you ask a stranger off the street for the time, their watch may be a little fast or slow. Mine is a little fast so I will be more likely to be on time even if I am late!)

Ed Heal
  • 59,252
  • 17
  • 87
  • 127
0

At the start of the game, ping the server and have the server save its server time to a session, or other persistance method. upon completion send the completed time to the server. At the server compare the time difference between the start time request and the end time request and the time submitted from The game. Allow for some discrepencies in time but like bergi say's its a lot of work and still not going to be 100%.

Flow Diagram:

Game start -> send command to server. 
Server saves time: (2:53pm)

Game end -> send players time to server (3mins).
Server gets current time (2:56pm)

Server compares start time (2:53pm) with current time (2:56pm) which is 3mins.
IF the difference == 3mins +/- 30sec then assume time is valid.

Adjust the details depending on how strict you need to be and what tolerances you'll accept. - Remember the client may not even be playing the game... any request can be spoofed. Hope this is a good starting point.

Dpolehonski
  • 948
  • 6
  • 11
  • As a side note. Depending on your tolerances and the end users browser and bandwidth speed you may exclude some genuine times that just took a long time to get to your server, but thats the price of 'security'. – Dpolehonski Oct 12 '12 at 14:54
0

Server-side timing (i.e. begin request time to submit request time) seems like it could introduce load times as affecting the user's actual time and therefore inefficient in this case.

It can. Welcome to the exciting world of online gaming. This is where your server-side application needs to be more advanced, where you can modify peoples times to make it more fair. Pings/traceroutes, should be performed to get a sense of the latency.

What I'm having trouble with is determining a way to assure that the time sent is legitimate. How can I stop someone from using their console and editing the client-side code in such a way as to submit a false time?

Not quite sure if HTML5 has any advancements in this area - I don't expect it would - but, one way would be to use Flash, or use an application outside the browser, which would probably defeat your purpose for using JavaScript in the first place.

vol7ron
  • 40,809
  • 21
  • 119
  • 172