19

Given a Client Side Game (lets call it game X) and a server side database that stores the high scores how can after the end condition of the game securely sumbit a high score to the server in a way that can only be done if the game was actually played (thus to prevent post hijacking).

Given this problem set here are a few ideas I have been thinking about

** Upon the game start send a session ID that expires after a given amount of time to be sent to the server for verification

the problem is that this could be easily exploited by requesting the start id then just forging the score

** Checkpoints within the game that post to the server to verify the person is actually playing the game

again this could be synthesized with some crafty scripting

samccone
  • 10,746
  • 7
  • 43
  • 50
  • Think about turning this into a question... – Marc B Aug 10 '11 at 17:40
  • I think it is a question @marc B – samccone Aug 10 '11 at 17:43
  • @Marc B: "...how can after the end condition of the game securely sumbit a high score to the server...". How is that confusing? – Chris Laplante Aug 10 '11 at 17:45
  • possible duplicate of [Safest way to update game score from client to server database? Javascript](http://stackoverflow.com/questions/4733175/safest-way-to-update-game-score-from-client-to-server-database-javascript) – Matt Aug 10 '11 at 17:46
  • Do as the others have said, and add a few fakes here and there, like say creating a Date stamp. Subtracting it from itself in an external JS file. Then in the parameters sending this value. It'd throw the beginners off. Using several JS files can be confusing to. – Some Guy Aug 10 '11 at 19:06

4 Answers4

8

Upload a replay of the game and verify the score from that replay on the server. Of course this works only if your game supports replays.

At minimum create a rough log of what's happening ingame and apply some plausibility checks.

You should also add some ingame consistency checks. Else I'll just use a tool like ArtMoney and change the score during the game.

But in the end if the user writes a bot it gets really hard.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
5

There is no way for you to prevent the client side from being manipulated. It is being controlled by the player and he could introduce subtle changes to the client-side application logic that won't be detectable on the server side. The only solution I am aware of is sending all user actions to the server (all at once at the end of the game or continuously while the user is playing) and having the server verify them (recalculate the score). If the actions result in the score that the user claims to have achieved then accept the score. If the actions don't match the score - reject. It will be much harder to generate fake actions that are logically consistent. It won't prevent all cheating techniques however (google for "aiming proxy", something similar might be possible in your game as well).

Wladimir Palant
  • 56,865
  • 12
  • 98
  • 126
1

Do this... take your session id from the server, combine it with something in the game and use that as an encryption key, then in your submit data send whatever data you want + a timestamp or something else from the checkpoints in the game

Maybe use SessionID + checkpoint id for the encryption key

iamkrillin
  • 6,798
  • 1
  • 24
  • 51
  • 2
    And what stops the person from reading the key included in the game and modifying the score before submission. Nothing. This can't be done. – Matt Aug 10 '11 at 17:48
  • Well at the end of the day, any solution that involves sending score data back to the server can be broken. Its all about raising the bar high enough where most ppl wont fool with doing it. – iamkrillin Aug 10 '11 at 17:53
1

What about something like this:

  1. Have the server send a nonce - 'hash-signed' by server's secret key and timestamp etc.,
  2. Have a hash based on some internal datastructures + client key and send it to server periodically
  3. Do this over SSL

And @iamkrillin beat me to it...but I am still gonna post it :)

PhD
  • 11,202
  • 14
  • 64
  • 112
  • 1
    And this fails if the user slightly changes the function sending the highscore to send a value that is 10 times higher. No amount of encryption will save you if the client is compromised. – Wladimir Palant Aug 10 '11 at 17:54
  • Adding to what @Wladimir said - rather than actually sending actions you could send a 'hash' of the data-structures as I mentioned - you should be able to 'reproduce' the validity of that data though...picking only a few ones will complicate the problem enough for someone to break the system – PhD Aug 10 '11 at 17:55
  • @Wladimir: Posted comment. Your comment came in parallel :) – PhD Aug 10 '11 at 17:56