11

I'm working on games using javascript some html and css, and I was wondering if there was any way to secure the game so that the user can't just call game.php?result=victory to finish the game and earn some point.

As of right now here are the solution I have.

  • For a chance game, start the page with the result already in place, win or loose, then just do some animations to show it, but all the score and win/loose stuff is done server-side.

  • For a battle game, just get the action from the javascript call, and do the damage calculation, reaction of the oponent on the server and just send back the data.

but the last solution imply that I will have to send actions each time the user do anything. This might work for a turn by turn battle game, but I think it would be to slow for any other kind of game. So my question is, is there some kind of secure way I can prep my javascript to secure the infomation sent.

rnaud
  • 2,610
  • 32
  • 38

5 Answers5

15

The only way to make it secure it to have all the calculation and validation occur on the server side. That's how it's done on pretty much all online games. The client can never be trusted in online communication and you must always make sure on the server side that the user is actually doing something valid. (In theory anyway, in practice you have to trust the client somewhat for lag compensation and offloading some noncritical stuff to the client side).

For this reason, javascript is not a very good language for developing an online game, as every action does need to be processed and validated by the server. For other programming languages it is not such a huge problem, because you can build your own communication protocols using TCP/IP for the server and the client. However, for javascript there is no such possibility, because you must rely on the HTTP protocol and the XMLHTTPRequest handlers, which make for a very inefficient live client-server communication.

Like you said, you can always do the interface in javascript, but for security, you still need to perform plenty of stuff on the server side and this certainly doesn't work for games that require more action oriented control. So, you are pretty much limited to turn based games, if you need the security.

Rithiur
  • 844
  • 4
  • 7
  • thanks for the complete answer :) I guess I'll stick to turn by turn and chance games then. – rnaud Mar 30 '10 at 09:16
4

You could do some stuff to thwart the naive user, but probably not everybody. It all depends on how motivated the person is to "attack" your game. At the end of the day, the user could use a javascript debugger to see exactly what your code is doing, and replicate it. Even if you send back every game action, the user could still replicate that. If you aren't careful about what actions the user can do, they may be able to send back actions that would be impossible if they were controlling the game with the default control scheme.

Kibbee
  • 65,369
  • 27
  • 142
  • 182
3

There should be no URL for victory. During the game, the client should send the user actions, and if they've won, the server redirects them to the victory page.

No calculating/rewarding should be done on the victory page, if any.

Anurag
  • 140,337
  • 36
  • 221
  • 257
2

Would this be considered an option? (Late answer)

Transfer the critical (stuff you do not want to be hacked), over to a hidden internal flash player, which act both as the critical variable storage, calculator (eg:Life points) and "communicator" to the sever for such game data.

It is definitely more secure then JavaScript. But still; It is always best to assume your client side is 100% not secure. (Even in C++ games, lol : hackers)

However, by transferring the traffic for game data to flash, you are able to utilize some of its more interesting communication functions, eg: P2P =)

PicoCreator
  • 9,886
  • 7
  • 43
  • 64
  • This is a very interesting option that I've never actually thought about. I don't really have very much AS knowledge, but how would this work? – Angelo R. Jul 07 '11 at 20:31
  • 1
    @Angelo R. The link has more details on linking AS3 with JS : http://www.hardcode.nl/archives_155/article_334-call-javascript-function-from-as3-and-viceversa . To put it short, both sides are able to run function calls to one another. By forcing, important data traffic to run through flash, and hence the server. You can turn flash into a 'secure' variable storage that syncs with the server, with javascript as the 'data display'. However: Note that flash is not 100% fool proof, but it certainly is much harder to decompile as compared to Javascript. – PicoCreator Jul 08 '11 at 00:34
  • Thanks for this, it's going to be an interesting read.. and possibly project – Angelo R. Jul 08 '11 at 21:01
  • @Angelo R. Its quite ironic though, to create a javascript game and port data to flash. When flash is more "efficent" for game graphics. But let me know if u ever get it implemented / done. It would certainly be interesting. (Especially if it is P2P) – PicoCreator Jul 09 '11 at 05:39
  • I would love to be able to work with flash but I'm just not proficient enough in it. For some reason I can never get the stage/timeline to co-operate... – Angelo R. Jul 11 '11 at 11:10
  • @Angelo R : If u running on one frame, just run a stop() command in the code, and manage from there. Since, you do not need anything graphical, and will most likely hide it in a hidden frame. – PicoCreator Jul 15 '11 at 03:57
1

No, there is no way.
What's wrong with sending user actions to the server?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 1
    Well i'm thinking about mobile and low connections, I would like to avoid loading stuff every half-second. – rnaud Mar 30 '10 at 09:09