Saturday, June 4, 2016

security - Securing HTTP data from a JavaScript game to server


Suppose I am doing a JavaScript game, and I wish the game to update the server if the user has successfully completes the game and his outcome.



How should I ensure that the request came from the JavaScript game, and that the data sent has not been tampered with. I am using PHP as the server-side language.


I do understand that no strategies are going to be 100% fool-proof, and any measures taken is more of a deterrence than absolute protection.


On Edit: Let's supposed we're not using server verification of each user's step (as in a traditional MMO). The game could be a mini-game as part of a web game or educational game (space invaders or a real-time game, for example) and requiring a server-side component for each of those games could be tedious.


Example: Supposed, when the game is completed, a request is sent to the server via. AJAX


game_finished.php?user_id=1&outcome=success&score=88

A user could 'fake' the server in believing that the game has been completed correctly by sending that request to game_finished.php. How could this be made more difficult?



Answer



a sliding block puzzle, for example


This is an example where server-side verification is trivial. It doesn't need to verify each step until the game is over. Just send the entire move list, and the server replays it to make sure it's correct.



(Edit: The point of this answer isn't to pick on examples until you find one that isn't trivially validatable. Rather, it should make you go back and look at the game you're actually making - it's probably trivially validatable, or only needs a small tweak to be.)


No comments:

Post a Comment

Simple past, Present perfect Past perfect

Can you tell me which form of the following sentences is the correct one please? Imagine two friends discussing the gym... I was in a good s...