| View previous topic - View next topic |
| Author |
Message |
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
 Posted: Mon Jul 21, 2008 3:31 pm Post subject: A secure way to keep a highscore table on a server |
[quote] |
|
Scenario:
- I have a game that runs as applet in the players browser.
- I have a webserver that is capable to run PHP scripts
Theoretically, the applet could call a script with | Code: | | http://myserver/scorescript.php?name=<playername>&score=<playerscore> |
But any geek with a browser can call that script, too, and fill the highscore table with garbage ...
Any ideas how to make this a bit less of a security hole? The gme is free and doesn't need a registration or whatsoever, and I'd like to keep it simple. Ideas how to safely keep the highscore table are highly appreciated :)
|
|
| Back to top |
|
 |
Mattias Gustavsson
Mage
Joined: 10 Nov 2007
Posts: 457
Location: Royal Leamington Spa, UK
|
| Posted: Mon Jul 21, 2008 3:38 pm Post subject: |
[quote] |
|
What I do for the game I'm working on, is send every move (it's turn based) to the server, and the server running the game simulation as it receives each move. At the end of the game, the server knows the score, as calculated from the received moves, so the score itself is never submitted... I think that makes it pretty secure...
Sure, players could submit moves without using the game client, but the server would reject invalid moves, so it wouldn't make much of a difference...
_________________
www.mattiasgustavsson.com - My blog
www.rivtind.com - My Fantasy world and isometric RPG engine
www.pixieuniversity.com - Software 2D Game Engine
|
|
| Back to top |
|
|
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
| Posted: Mon Jul 21, 2008 3:43 pm Post subject: |
[quote] |
|
Yes, that should be safe :)
The problem is that my game is completely single player, I just had the idea to replace the single player highsocre table with a shared one on the server, and since I assume players will be itchy about their scores, I want it somewhat safe ... but I assume without a registration step, a http request from a browser cannot be distinguished from a http request generated by the applet. And even if I try some encryption, hackers can easily decompile the applet, figuer out the encryption step and then send scores.
Do you have a registration and login step included there?
|
|
| Back to top |
|
|
valderman
Mage
Joined: 29 Aug 2002
Posts: 334
Location: Gothenburg, Sweden
|
| Posted: Mon Jul 21, 2008 4:37 pm Post subject: |
[quote] |
|
There's really no way of keeping it secure if the game itself is single player. Sorry.
You can make it harder to post faked scores by requiring a password and obscuring your code to hell to prevent people from finding retrieving it with a hex editor or disassembler, but if someone wants to get in, there's no stopping them.
_________________
http://www.weeaboo.se
|
|
| Back to top |
|
|
Mattias Gustavsson
Mage
Joined: 10 Nov 2007
Posts: 457
Location: Royal Leamington Spa, UK
|
| Posted: Mon Jul 21, 2008 4:55 pm Post subject: |
[quote] |
|
| Hajo wrote: |
Do you have a registration and login step included there? |
yes, but for other reasons, it's not necessary for the highscore bits.
| valderman wrote: | | There's really no way of keeping it secure if the game itself is single player. |
Yes there is. My game is single player. My first implementation was like this: when the player submits his highscore from within the game (via HTTP), the game doesn't actually send the highscore, but the initial random seed along with all the moves made by the player. When the server (php script) receives the data, it runs through the game with the same random seed, and applies the moves as the player did. If it comes across an invalid move, it rejects the whole highscore submission. If all goes through ok, it will have calculated the corrects score along the way, and stores that in the highscore table.
I'm changing my implementation now though, to have the server receive each move as the player makes it (only when the player choose to play online), so that I can keep savegames on the server even if the game would crash half way through.
So yeah, there's ways to do it, depending on how much work you're prepared to do...
_________________
www.mattiasgustavsson.com - My blog
www.rivtind.com - My Fantasy world and isometric RPG engine
www.pixieuniversity.com - Software 2D Game Engine
|
|
| Back to top |
|
|
valderman
Mage
Joined: 29 Aug 2002
Posts: 334
Location: Gothenburg, Sweden
|
| Posted: Mon Jul 21, 2008 8:35 pm Post subject: |
[quote] |
|
| Mattias Gustavsson wrote: | | Hajo wrote: |
Do you have a registration and login step included there? |
yes, but for other reasons, it's not necessary for the highscore bits.
| valderman wrote: | | There's really no way of keeping it secure if the game itself is single player. |
Yes there is. My game is single player. My first implementation was like this: when the player submits his highscore from within the game (via HTTP), the game doesn't actually send the highscore, but the initial random seed along with all the moves made by the player. When the server (php script) receives the data, it runs through the game with the same random seed, and applies the moves as the player did. If it comes across an invalid move, it rejects the whole highscore submission. If all goes through ok, it will have calculated the corrects score along the way, and stores that in the highscore table.
I'm changing my implementation now though, to have the server receive each move as the player makes it (only when the player choose to play online), so that I can keep savegames on the server even if the game would crash half way through.
So yeah, there's ways to do it, depending on how much work you're prepared to do... |
Well, that kind of amounts to making the game online, doesn't it?
_________________
http://www.weeaboo.se
|
|
| Back to top |
|
|
Mattias Gustavsson
Mage
Joined: 10 Nov 2007
Posts: 457
Location: Royal Leamington Spa, UK
|
|
| Back to top |
|
|
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
| Posted: Tue Jul 22, 2008 8:13 am Post subject: |
[quote] |
|
|
Thanks for the answers. I wanted to keep the server/script very simple, so I guess there is little to no hack-prevention possible with that approach. I guess I'll skip the world-wide-highscore-table idea for this project then.
|
|
| Back to top |
|
|
Terry
Spectral Form
Joined: 16 Jun 2002
Posts: 798
Location: Dublin, Ireland
|
| Posted: Tue Jul 22, 2008 1:46 pm Post subject: |
[quote] |
|
It's hardly necessary to skip it altogether! For example, there's nothing guarding the Self Destruct highscores except for a simple checksum, and nobody's bothered to try to work it out yet :P That may not make it hack proof, but it will make it very, very hard for everyone except somebody who really knows what they're doing.
_________________
http://www.distractionware.com
|
|
| Back to top |
|
|
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
| Posted: Wed Jul 23, 2008 2:00 pm Post subject: |
[quote] |
|
|
Good to know that people aren't that evil as I always seem to assume. I might just try and see how it works out. Also a chance to refresh my PHP knowledge a bit.
|
|
| Back to top |
|
|
Verious
Mage
Joined: 06 Jan 2004
Posts: 409
Location: Online
|
| Posted: Wed Jul 23, 2008 8:35 pm Post subject: |
[quote] |
|
|
I think Terry's idea to use a simple checksum (or CRC) would "keep the honest people honest" and probably provide sufficient protection.
|
|
| Back to top |
|
|
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
| Posted: Thu Jul 24, 2008 7:59 am Post subject: |
[quote] |
|
|
Yes, indeed. Right now I have a few other things to do, but once I have a bit of spare time again, I'll dig more into the PHP docs and try to make the scripts to update the list and to display. A bit more of PHP knowledge will be good for me anyways.
|
|
| Back to top |
|
|
RedSlash
Mage
Joined: 12 May 2005
Posts: 331
|
| Posted: Fri Jul 25, 2008 12:19 am Post subject: |
[quote] |
|
|
You could encrypt the data sent to your php script. Not that this method is ultimately secure since the encryption keys would have to be embedded in your applet somewhere, but it makes it difficult for players to simply change a parameter in your PHP query string and have your system broken that way.
|
|
| Back to top |
|
|
