views:

95

answers:

2

In my JavaScript game (made with jQuery) I have player position stored in a database. When character is moving, i just send request to specyfic URL, I.E. mysite.com/map/x1/y3 (where a character's position is x=1, y=3).

That url send coordinates to the database and checks to see if any other players are near ours. If yes, it sends also JSON object with name and coords of that players.

And here is my question - how to secure it? Some one could look into my JavaScript code and prepare url looking like mysite.com/map/x100/y234, and it will 'teleport' him into some other side of map.

A: 

You could obfuscate your javascript source code. That will at least deter casual cheats, however there's probably no way to make it completely secure using javascript.

Tom
There is no such thing as security though obscurity. To attack this system i would use tamperdata, i don't care what the script looks like.
Rook
+6  A: 

Any data/computation processed in JavaScript in the browser will be insecure since all the code runs on the local machine. I would recommend to list all the parameters critical to a fair experience of play, such as the player position, score, resources... and compute the management of these parameters on the server-side. You would only gather user inputs from the browser and send the updated state to the browser for display.

Even if you choose to compute some values on the browser side to avoid latency, you should not take them into account for the global state shared by players, and you should resynchronize the local state with the global state - always in the direction global to local - from time to time.

Like in a typical form handling, you should also check that the values sent by the browser for user inputs fall into reasonable bounds, e.g. relative movement in one second is less than a certain distance.

Eric Bréchemier
+1 Good advice!
Daniel Vassallo