Ajax Highscores security

Question

I'm creating a tower-defense game in javascript and want to have a high score and other multiplayer interactions. Probably have a couple of players start the game at the same time and tell them how fast the other guys are going and that kind of stuff.

I don't know how flash games send their scores or events to make sure the information that each client is sending is actually correct and not just someone sending incredible scores. I remember a couple of years ago when flash games started having high scores, it was very common to see unreal(hacked) scores and well... that's pretty weird not; so what is the secret here?

Answer 1

People will always be capable of cheating at games... the best you can do is make it difficult to cheat. Scores for old flash games were very easy to rig because the score would be submitted via an HTTP request. Sniffing the traffic would reveal the submission URL and what variables needed to be passed in order to update the score. I hope that it has since changed.

If I were you I would make use of some error checking code that will be passed along with the final score in order to verify that the score is legitimate. The error-checking code algorithm should be difficult to determine from a score (if the person is sniffing it). The javascript should also be arbitrarily obfuscated. This is nowhere near ideal but it should deter a good portion of the cheaters.

Answer 2

Its primarily though obscurity these days. You would generally assign a unique token per game, and form some kind of hash of the score and token and validate it on submission (or continual submission, validation and token-switching throughout gameplay).

It will be a lot harder for you to do via javascript.

Answer 3

The best practice I have seen for this is to do sanity checks.

Record the time elapsed, enemies killed, etc... check the score with the data, and see if they add up.

Answer 4

Use a combination of the following tools which are used to commonly prevent fake score and progress reports.

1. Obscurity - compress and obsfucate the logic that calculates the score string. Distribute it and make it difficult to reverse engineer.
2. Randomly changing keys - When your game begins, let the javascript request a key which can be used to encrypt the string containing the high scores, etc. The server should also have the private key which will allow you to decrypt the message.
3. Sanity checks - While a user might change the score, make your requests also contain the number of kills, etc, which are known bounds. The server will check the hashes and make sure that the data is valid.
4. Consider using a comet server - Since you'll be feeding realtime data to both clients, you'll be better off using a comet server like Orbited or Jetty. This will enable streaming without crashing your server.
5. Make it frustrating. 'nuff said.