7

I am thinking of creating a HTML5 game. I understand that it's probable that no one will try to cheat, but I want to make sure (and am interested to see if there are any good techniques).

I understand the advantages of having open source software, and would want my code to be read and stuff. However, in a game type situation, where the user's score would be sent to the server to be stored, I can see a problem in that the user can open their devtools (F12 in most browsers) and modify the script or the values in variables to give themselves a higher score or a hundred lives. I don't care if people do this, but I don't want their scores to be stored.

Case Study: Candy Box 2 (candybox2.net) took me less than 20 seconds to get 100000000 candies.

Is there any way to stop this from happening?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
user1877408
  • 137
  • 1
  • 11
  • Check this out for inspiration: http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools – colllin Mar 05 '14 at 20:22
  • The facebook one only specifies about the console, but it doesn't prevent you from adding break points, I'll check the other now – user1877408 Mar 05 '14 at 20:27

1 Answers1

8

The surest way to stop this from happening is to run all the business logic server-side, only accepting commands from the browser. If the key variables are not resident in the browser (or the copy in the browser is a cached copy and never accepted as authoritative) then client-side manipulation is unable to do anything except perhaps automating UI actions.

If the client code has to be made tamper-resistant, you've already lost; that way lies PunkBuster, Valve Anti-Cheat, and other mechanisms that generally require the user to let you permanently install a rootkit on his machine so you can satisfy yourself by inspection that he's not cheating.

For some projects I've been working on recently using ASP.Net as a back-end, I've found SignalR to be a very efficient Comet-type communications layer for JavaScript and dynamic HTML, even taking advantage of HTML 5 WebSocket support if available.

Jeffrey Hantin
  • 35,734
  • 7
  • 75
  • 94
  • 1
    But how in a JavaScript game can I run all of the business logic server-side. and even if I could, at some point the server side stuff would have to take input from the client side stuff and that input can be tampered with. – user1877408 Mar 05 '14 at 20:31
  • @user1877408: Basically, the server runs a simulation of the game and replicates the client's actions from his inputs. For example, if the client says he got an item that didn't exist or wasn't reachable from his position, the server will just tell him, "No, you didn't. Here's what actually happened based on your inputs." – Chuck Mar 05 '14 at 20:41
  • @user1877408, you'd need to validate the parameters of every client request; for example, rejecting a request to buy more widgets than the player has coins to pay for, rejecting a repeated click on something before its cooldown timer expires, and so forth. **Never** allow the client to "save" the game to the server; the *authoritative* game state must never placed in the hands of client JavaScript where it can be tampered with. You can still let the client "load" a copy and execute in parallel for better responsiveness. – Jeffrey Hantin Mar 05 '14 at 20:45
  • 2
    Alternatively, when "saving", have the client submit a "transaction tape" of all commands executed during the session with time stamps, and have the server re-execute (with validation) all the business logic from the submitted journal. – Jeffrey Hantin Mar 05 '14 at 21:08
  • @jeffrey-hantin Amazing, just what I was looking for. I never thought of creating a transaction tape, and can see how that would work. Thank you. – user1877408 Mar 05 '14 at 21:42
  • @JeffreyHantin So, there are caveats still, the "transaction tape" that is sent by the client to the server can be forged. Sure, you can perform validation on the tape, but that might end up being an insane amount of work. If a user forged the tape to say that their position was at (10,50) and no other data was on the tape, your validation would involve "Is it possible that the user moved from currently saved position to (10,50)?" ... "is it possible" would be a gigantic list of rules for just one property, such as "Is the distance greater than their movement?", "Can they warp, Did they warp?" – ferr Jul 18 '15 at 18:40
  • Just to followup- A need for scanning game rules for validating property changes isn't a terrible thing. You would just need to assess the cost of this server-side action. I like the idea of using libs like Comet/SignalR for communication as well, that could be a great option. – ferr Jul 18 '15 at 18:46
  • @ferr, the point is, you *never allow the client to save property changes at all:* you submit a transaction tape of the actual user actions taken, not the property changes that result from them. "Start moving toward (10, 50) at time T0", not "position = (10, 50) at time T0+Ttravel". If the client cannot submit property changes, you have no need to validate them. – Jeffrey Hantin Jul 20 '15 at 21:22
  • @ferr If it's an insane amount of work, you could hypothetically just process that tape as you can, and once the score is submitted, finish validation before saving it for good. – mbomb007 Sep 13 '17 at 22:04