6

Does HTML 5 Gaming use Canvas and Javascript? How to prevent cheating in this case?

For instance, what if a user uses GreaseMonkey or some tool to alter the script so that it just reports a perfect game score to the server every time?

asheeshr
  • 4,088
  • 6
  • 31
  • 50
Jeremy L
  • 3,770
  • 6
  • 41
  • 62
  • 2
    Just remember that in most cases you cannot completely prevent cheating of all kinds. However, in those cases you can simply make cheating very difficult to deter most script kiddies from hacking your game. You won't prevent it, but you can reduce it significantly. – Sasha Chedygov Apr 26 '10 at 04:18
  • 2
    @J Lynch: What kind of cheating do you want to prevent? What if I write an AI more intelligent than a human that plays your game? S.Mark's answer is spot on: if you only send the actions to the server-side, then you stop dead a **lot** of very usual cheating methods. Now the attacker has to program an AI to beat your game. Note that your question specifically asked about a cheater reporting perfect score, and then in the comment to S. Mark's answer you seem to change your mind and want protection against any kind of cheating, which is not the same. – SyntaxT3rr0r Apr 26 '10 at 04:55

3 Answers3

14

I'll answer your question with a question of my own: Why don't we see rampant cheating in World of Warcraft? Or any other MMORPG for that matter?

The answer is because the game manufacturer keeps all game state serverside.

  • If I'm the client and I'm in charge of reporting damage done to the enemy, or my location, yeah of course I can cheat and tell the server I did 1 million damage.

  • On the other hand if the server keeps track of state and I only inform the server of changes to state, all I can do is tell the server "I moved left" or "I fired my gun" <-- anti-cheating is built into the architecture of the game

Of course, you did bring up the point of "perfect actions" - the case would be an action game, a shooter, etc. where objects could be identified and the "perfect action" send. And to that I'd say: this sort of cheating already exists, really. And it's existed for many years. So I don't see how anything changes just because these are javascript games.

ambertch
  • 7,581
  • 4
  • 28
  • 40
8

Instead of sending scores from user, send actions to server side everytime and calculate scores at server side

YOU
  • 120,166
  • 34
  • 186
  • 219
  • what if it is a game of invader or Restaurant City... we can't send each tiny action to the servers, and even if we do, we can send all "perfect" actions. – Jeremy L Apr 26 '10 at 04:13
  • @J Lynch: Why can't you? What kind of game is it? If it's something like Invaders, sure, someone could recreate a "perfect scenario" but that would take a lot of work on their part, and most cheaters won't want to spend the time. :) – Sasha Chedygov Apr 26 '10 at 04:15
  • 1
    @J Lynch, regarding tiny actions, you could combine and queue some actions and send at certain interval to check those. – YOU Apr 26 '10 at 04:25
-8

Obfuscation. Its google, and your, number one tool against prying javascript eyes. Google Javascript Obfuscation and you'll come across a million tools.

http://www.javascriptobfuscator.com/Default.aspx for one.

Dested
  • 6,294
  • 12
  • 51
  • 73