How to process AJAX requests more securely in PHP?

Question

Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try.

My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on.

<?
$allowed = new Array("64.120.211.89", "64.120.211.90");
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden");
?>

Both of those IP addresses point to my server. Things I'm worried about:

1) If I send a request from Flash/ActionScript, will that affect the IP address in any way?

2) Is it possible for malicious users to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses?

Any other ways you would suggest that might be more secure?

Answer 1

The REMOTE_ADDR will be the address of the client, so it won't help.

If the client can decode it, they will be able to emulate it.

Just hope no-one is that desperate to get a high-score on your games.

I guess it's easier to sniff packets than it is to decompile the flash, so it might be worthwhile encrypting the data in some fashion as you send it.

Answer 2

THOSE IPs ARE NSFW.

Keep in mind that if someone decompiles your flash app, recompiles it, and then places it back in your site using Firebug or similar, all your work is wasted in your current thought stream. The best way to prevent abuse is going to be to require one-time use encrypted tokens that you send when you initialize the flash game, and require on the POST back. The game data should also be encrypted and decrypted somehow. But even that won't stop everyone. Flash game security is notoriously difficult.

Answer 3

I've really been thinking about this. People hack games to get #1 on the scoreboard, correct? That's the only reason, they want to be on top. So, I've decided to completely get rid of the global scoreboard. Users, of course, will have their personal scores recorded so they can compete against themselves, but other than that, each game will simply give users an award for accomplishing some specific task. That way score is irrelevant. Whether you get 1,000,000 or 1,000, you still get the same award. This will deter hackers because their efforts are meaningless. Yes, I can still implement some form of lower-level security when transmitting data to the server via AJAX requests, but really it wouldn't seem very logical for someone to hack my game just to get an award that is exactly the same as any award anyone else has received. I know it seems like I'm kind of avoiding the issue, but really I'm not. I'm facing the real issue which is the hackers and pretty much demolishing their motivation to hack the game while still maintaining that sense of competition. Most hackers do it to gain attention, so they can look at the scoreboard and say, 'Yeah, I hacked the game to get that score.' But if they only have a little icon in their profile, who's going to care?