1

I'm developing a simple web game for learning purposes. It's the classic tic tac toe game multiplayer. Every cell is marked with a number from 1 to 9, and to communicate it to the server (Node/Express) I use the following method

io.emit("mark", 3);

where io is a socket.io object and 3 identifies the cell on the first row and third column.

It works, but since the socket.io framework is mostly running on the client, cheating is as simple as press F12. In fact I tried to open the console and send to the server some moves, and it accepted all. How can I prevent this kind of injections? The only information which I found on the web is this Stack Overflow question, but it deals only with the authentication security and not with generic requests, so it didn't help me. The only idea that came in my mind is to see if the command received from the server is coherent with the context of the game. Actually it can fit with these simple games. But how should I treat more complex applications? And how can I prevent that some ill-disposed person send thousands of requests, with the risk of server crashing?

Thank you

Community
  • 1
  • 1
Christian Vincenzo Traina
  • 9,546
  • 2
  • 40
  • 63
  • Assuming the request is consistent with the server-side game context, what can happen bad? In my socket.io based games, the logic is running both on client and on server, where every move is checked. – Denys Séguret Mar 29 '16 at 16:36
  • I said that I could apply some consistency check before to execute the instructions, but this is just a simple game. In future I'd like to develop more complex games. And if I've 100 emition keys, should I write a customized check for each of them? In my opinion there will be a better solution somewhere – Christian Vincenzo Traina Mar 29 '16 at 16:43
  • 1
    I just apply every move **1**. on playing client (to check it's valid), **2**. on server for validation before saving and transmitting to other players, **3**. on all clients for display. As it's JS everywhere it's easy to do it without duplicating code. You **do** need to check moves in any game, or you can't even tell to the user what move is valid. – Denys Séguret Mar 29 '16 at 16:48
  • Yes I know, but what if the move is valid, but the player is not using neither the keyboard nor the mouse, but an automatic script? And what happens if the server receives thousands of useless requests? – Christian Vincenzo Traina Mar 31 '16 at 14:30

0 Answers0