Prevent Cheating on Javascript Game

Question

I'm currently developing a game using JavaScript/JQuery. It's a simple brick breaker type of game keeping score, levels etc. I'm planning on implementing a leader board that users can submit their final score to. The only problem I see with this is users manipulating the score using developer tools on most browsers. I understand that keeping things server side will resolve most of these issues, however if there is a high volume of users, it will hit my server hard with requests. Cookies - Easily changed client side. I'm honestly out of logical ideas to promote fair game play because there is ALWAYS people who seek to cheat/become top of the leader board. With that said, what's an efficient and effective way to keep track of the user's score without giving them access to changing it?

There should be some good answers in many of the related questions on this page. How is your question different? — Ray Toal, Aug 24 '11 at 06:06
possible duplicate of [What good ways are there to prevent cheating in JavaScript multiplayer games?](http://stackoverflow.com/questions/5250403/what-good-ways-are-there-to-prevent-cheating-in-javascript-multiplayer-games) — Konerak, Aug 24 '11 at 06:11

score 11 · Answer 1 · answered Dec 13 '11 at 18:22

Make the page submit a complete replay of the game rather than just the final score. Given the random seed and a frame by frame record of user inputs, your server should be able to simulate and reconstruct the game and verify the score.

Obviously the replay can be faked too, but it would amount to so much work (actually playing the game and actually getting a good score, albeit with the unfair advantage of AI assistance, slowing down and other client hacks) that tool-assisted scores should deserve to be in the leaderboard.

This is the most effective solution, but not the easiest. – 7yl4r Jan 27 '15 at 16:42 — 7yl4r, Jan 27 '15 at 16:42

score 6 · Accepted Answer · edited Mar 29 '22 at 16:00

6

Obfuscate their score by creating an equation that can only be calculated on the server side.

Edit: RobG is correct in that it will need to be calculated on the client side.

I hacked the Angry Birds game when it launched on chrome:

http://wesbos.com/all-levels-html5-angry-birds/

However, they have since obfuscated the code so much that its impossible to figure out which function calculates the hash..

edited Mar 29 '22 at 16:00

Kostas Minaidis

4,681
3
17
25

answered Aug 24 '11 at 06:08

wesbos

25,839
30
106
143

5

The code is running client side, so whatever encoding is occuring is on the client and can be spoofed. Different approaches just make it more or less difficult. – RobG Aug 24 '11 at 06:27
@RobG for a puzzle game there is the opportunity to make spoofing the score as difficult as the game itself. – John Dvorak Aug 17 '16 at 07:50

score 3 · Answer 3 · edited Mar 10 '15 at 05:29

3

An idea I had was to use a game-timer. If the user changes the score to an amount that is obviously not possible given the amount of time that has passed, refuse to log the information. You could start the timer and check the timer in your server-side script.

Now of course if they change the score only by a few points this checking may fail, but, if they only add a less than impacting amount then maybe it won't matter to you as much?

edited Mar 10 '15 at 05:29

nhahtdh

55,989
15
126
162

answered Mar 10 '15 at 05:13

hambone

51
1

This is well thought out, I like it. One could implement various measures like this, making it really hard for a cheater to crack it. – Gass Dec 30 '21 at 15:13

score 3 · Answer 4 · answered Aug 24 '11 at 06:35

You can't guarantee no cheating, it's impossible. The server responds to requests, that's it. It has no idea what code is running on the client, what type of user agent or environment it's in or even whether it's running your code or a facsimile.

You can take various steps to make spoofing more difficult, but you can't make it impossible. The cost of such measures (usually seen as "security") is usually balanced with the value of the asset being protected.

score 2 · Answer 5 · answered Aug 25 '11 at 00:31

2

Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this.

-- The Laws of Online World Design

answered Aug 25 '11 at 00:31

Martin Sojka

256
2
7

score 0 · Answer 6 · answered Jul 26 '17 at 15:42

0

You could also make the leaderboard less important, by only sharing scores with 'trusted' friends. Or simply allowing people to share their score on any social networking site. Maybe this removes the primary motivation to cheat in the first place.

You could then always compare the score implicitly with statistics you gathered, to tell if somebody is doing good or not.

answered Jul 26 '17 at 15:42

Yeti

2,647
2
33
37

Well.. But then you are also removing the motivation for the honest players who like to compete. – Gass Dec 30 '21 at 15:15

score -3 · Answer 7 · edited Apr 14 '21 at 11:37

-3

Base64 encode your javascript page. That should stop people some people.

Link: http://www.opinionatedgeek.com/dotnet/tools/base64encode/

edited Apr 14 '21 at 11:37

KetZoomer

2,701
3
15
43

answered Aug 24 '11 at 06:09

Coomie

4,832
3
32
44

1

I don't think you need a high IQ to install a plugin written by someone else (with whatever IQ) that sends whatever score you'd like. – RobG Aug 24 '11 at 06:29

Prevent Cheating on Javascript Game

7 Answers7

Linked

Related