views:

104

answers:

3

Hiya. As far as I know, it's really not possible, but I just want to be sure before I'm moving to flash.

can I make an html5 game secure enough so people won't be able to change their score and other variables while playing?

thanks!

+1  A: 

Depends on the way your game is coded, but if all the logic is sent to the client and only the score returned then you have no hope. Only by returning the inputs and calulating the score on the server side can you try to prevent the users submitting any score they wish.

Don't forget, by definition the user must change their score or it could never be more than 0...

Colin Pickard
This answer applies equally to HTML5, Flash, or any other way of writing a game.
Colin Pickard
+1  A: 

since your users can see all the source code this is a rather complex problem. they can easily change any function or variable at runtime without your script ever knowing. even if use a complicated signing function to validate the results.

and i am sorry but i don't think colins way would work either. i could just change any input to make the server do whatever i want.

maybe a constant monitoring of the score thru the server would be able to detect any impossible changes. still someone cheating in the realms of "possible" results would be uncaught.

in the end i would say u can only make it rather difficult to cheat but not impossible for someone with a little bit of skill.

don't use it for any games where u can win something by scoring the highest.

since the matter seems rather puzzling to people:

flash delivers compiled swf files, that cannot (since flash 9) be decompiled to useful.smth so u can put a secret in there which you use to sign the score. i.e. send the score and the md5 of score+secretkey. so the server (which also knows the key, can check it). furthermore flash variables are not so easy to temper with (you would have to find them in ram and alter them there, which is a very complex task), while javascript vars can be easily edited using, for example, webkit developer tools

update

actually i correct myself => all swfs can be decompiled this just leaves us with code obfuscating and "encrypting"

i guess the world is a bad place after all ;)

elmac
btw flash can be compiled so the user can't "look" inside any "secret" signing functions.and no i am not talking about the old swf decompiler stuff.flash 10 doesn't decompile to anything usefull
elmac
I was with you until "don't use it for any games where u can win something by scoring the highest". That counts against Flash and most other web technologies. It's perfectly possible to intercept and alter the data going back to the server "with a little bit of skill".
Olly Hodgson
yes but u can crypto sign the score send to the server with a secret unknow to the user.i.e. md5 of (score+secretkey) along with the score.in flash the user wouldn't be able to decompile the swf (since flash 9 or so) while in js the user can just look it up
elmac
@elmac: can you show me a swf file that can't be decompiled?
arjan
@arjantop after reading about latest decompilers for a while...it seems all swfs can be decompiled today...wasn't like that in the old days ;)so this just leaves us with the good old obfuscating and "encrypting"
elmac
-1 This answer doesn't provide a solution or enhance the understanding of the question.
Jesse Dhillon
A: 

There is no "depends", the straight answer to your question is "no" and I think my fellow answerers simply muddied the waters.

You cannot trust the client. With any language, whether you're writing assembly or HTML or Flash, you cannot trust the client. No matter how much you wrap your code in obfuscation and such, it can and will be figured out (and often quicker than you might think).

This is stressed everywhere and yet people keep getting bit by it. Online games get "speedhacked" because they don't check the velocity of players, or they get item duplication because they don't verify that a player actually has an item that they're trying to do something with, or the lame little flash games get hiscore entries of 9999999 because a simple tool like Tamper Data (a Firefox add-on) is all it takes to change the score as it's sent to the server.

You can't trust the client, whether HTML5 or Flash.

If it's a single-player game, let the player cheat. That is their decision. If it's a multiplayer game, the server verifies every step of the game and anything outside of the rules is thrown out. If it's hiscores, send a replay of the game to the server and analyze it for any cheating rather than sending just a numeric score.

Ricket