avoiding automatic software to control web service

2019-07-29 19:40发布

问题:

Let's imagine I build a web service, and a client application that call this web service.

Is there any way to prevent other software than mine to make call to the web service ?

For example, imagine a game where a player can gain some money by clicking on an icon, only available once per hour. If the user is connected, well. If the user is not connected, he "loose" the time window to get the money.

In a standard web services + client, it would be quite easy for any teenager to build a script/fake app to execute the web service.

How can I avoid that ? I know there is no magic solution, but at least, how can I raise difficulty for writing such tools ?

PS: I'm working with Microsoft .Net platform + SilverLigth, but I feel this question is wider that MS technos.

[EDIT] to clarify, I don't ask how to add authentication, but how to avoid a user to automate call to the web services. Nothing prevent a user with an account to use its account to automate the calls; What I want to avoid, is for example, to have a fake app, with an actual authentication, to do something every 5 seconds instead, of on user input. In a game, this can avoid farmer robot

回答1:

You'll want the server to be more aware of the game state. For instance, in the case you outline, the server should be aware whether or not that money icon is on the screen for the user to click on. When receiving a request for "click on money" it should check if the money is actually on the screen. Maybe just adding a "last time clicked on money" variable for each user would be enough. But this would allow a bot to "click the money" even if they weren't in the game, although you could limit the frequency. Perhaps you could go with something more robust. Such as when displaying a money icon on the screen, include with it a random key value (GUID or something like that) that you can send back with a valid call to verify that they actually clicked on a real money icon that was actually displayed on their screen, as opposed to just click on money icon, you know exactly what they are clicking on. This makes writing a script more difficult, as they would have to look into the memory contents of the game in order to determine the GUID attached to the money icon and submit that along with the request. This would still be possible, though much more difficult.



回答2:

WCF web service methods can be decorated with security requirements. This includes RIA services for Silverlight (which are basically just WCF services).

You can require basic authentication, or even that the user must be a member of a specific role to use a specific method.

This does mean of course that your application must use authentication (i.e. the user must log-in).

Alternatives are to provide your own authentication system (e.g. with tokens), but this still requires the app (at least) to login to the service first to get a new token.

[Edit] In answer to your followup, robot detection is usually a case of recording durations between calls, or average duration, and simply disallowing access if the limits are exceeded. (or if you are really mean, cancel their account or start returning garbage data)