Javascript game / Server communication / Answer validation

Question

I have a quiz-like javascript game and it is supposed to be fast-paced. The user needs to answer as many questions as he can in a short time. He is presented with a Yes/No question, the answer is sent to the server, validated there and a feedback (correct/incorrect) is shown back to him. I use Javascript and AJAX.

The problem is the delay in between two consecutive questions due to the verification going on at the server. The questions are independent of each other (the outcome does not change the next question). I want the user get a feedback immediately after his answer and only then see the next question.

Currently, I stop the clock on the client-side while the answer is being validated on the server side and resume it once the feedback along with the next question arrives. I also make sure, at the server side, a game session does not exceed the allowed time plus a reasonable slack for the network delays.

The only and obvious solution I can think of to eliminate the delay is to send a batch of questions to the client along with the answers and do the verification on the client side. That would minimize the communication with the server (once per session) and provide a smooth playing experience. Obviously, any user who can read the incoming messages can create a script that would play automatically and play perfectly. Obfuscating the client code and the answer could help a bit and increase the cost of writing such a malicious script but it wouldn't eliminate a determined user to create his own script.

My question is two-fold. First, I want to be sure I'm not making a huge mistake and missing an obvious solution to this problem which also perfectly handles users with bad intentions. I guess it's theoretically impossible to come up with such a solution but I don't have enough place to write down the proof here (!).

Second, given that there is no money reward at the end of the game, I don't expect any bored coders to mess with my little game. But still, I would like to hear your opinions and your strategies to deal with it in more serious cases.

Answer 1

As warm-up, I want to give one sketchy solution that comes to my mind.

Once in a while include a wrong question-answer combination in your batch. You can detect an automatic bot because it should give the "correct" (which is in fact the wrong) answer more frequently than real players (plus there shouldn't be any significant difference between the accuracy for other questions and these bogus questions). The cost is that the real players would see that their legitimate answers are considered as wrong once in a while. If you lower the number of such bogus questions, you sacrifice bot-detection accuracy.

I assume the scripts behave like humans regarding timing between consequent answers and they are smart enough not to give the correct answer everytime. Otherwise it would be too easy.

Answer 2

It's not going to be possible to accomplish what you're trying to accomplish using only Javascript. Think about it: if Javascript, a plaintext, client-side language, is doing the validation, there is nothing to stop the player from doing the same thing the Javascript would do and grabbing the right answers.

To minimize abuse, you could obfuscate the Javascript and provide the answers to the client in hash form (md5/sha1/etc), hash the answer the user submits, then verify against the hash. That way the answers are not visible in plaintext, but if your game has limited multiple-choice answers, it would be trivial for a cheater to just hash all of them and compare against the batch of answers.

Exactly how long of a delay are we talking here? Ajax IS fairly quick... I've seen some applications with response times in the 100-200ms range. That should be low enough as to not disrupt the user experience. If you have response times slower than that, then your best bet might be to look into how you can optimize the server-side portion of your application to calculate responses faster.