1

I've not been able to find any solutions to this other than "monitor responses and match for patterns of fraud".

Let's say I make a client-side HTML/JS skill game, moving a butterfly net left and right to catch falling stars.

At the end of the game, the JS sends a request to the server, something like

{
    "stars_collected":30,
    "user_id":38194723,
    "session_id":'dDhw83hDEknd83y727dhd'
}

This is sent to https://example.com/api/star_catch_level_complete

Nothing's stopping the client from just sending a fraudulent http request written by the end-user

{
    "stars_collected":9999999999999,
    "user_id":38194723,
    "session_id":'dDhw83hDEknd83y727dhd'
}

Now, obviously, the server side can mitigate some things such as always have a maximum obtainable number of stars etc.

My question is, can the data in the request be encoded/signed in some way so that the end-user can never actually see how the level_complete request is formulated?

Craig
  • 431
  • 1
  • 4
  • 12
  • 1
    No, I don't think that's possible. See, whatever encryption algo you're going to use, you'll have to share both the algo and the public key, as well as the JavaScript code generating the request. This is an interesting problem, and I'd like to see the answers you get as well. – Madara's Ghost Nov 13 '15 at 10:43
  • 1
    (Big) online games do this usually by sending all actions in the game to the server so that the server has the same state as each client and when the highscore is sent, then the server can check if that highscore makes sense (also [this](http://stackoverflow.com/a/5741574/1816580)). Of course this is still not perfect, but provides a reasonable obstacle for cheaters. – Artjom B. Nov 13 '15 at 11:18

0 Answers0