How to securely submit a high score in a front end

2020-06-08 04:05发布

问题:

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 8 years ago.

Given a Client Side Game (lets call it game X) and a server side database that stores the high scores how can after the end condition of the game securely sumbit a high score to the server in a way that can only be done if the game was actually played (thus to prevent post hijacking).

Given this problem set here are a few ideas I have been thinking about

** Upon the game start send a session ID that expires after a given amount of time to be sent to the server for verification

the problem is that this could be easily exploited by requesting the start id then just forging the score

** Checkpoints within the game that post to the server to verify the person is actually playing the game

again this could be synthesized with some crafty scripting

回答1:

Upload a replay of the game and verify the score from that replay on the server. Of course this works only if your game supports replays.

At minimum create a rough log of what's happening ingame and apply some plausibility checks.

You should also add some ingame consistency checks. Else I'll just use a tool like ArtMoney and change the score during the game.

But in the end if the user writes a bot it gets really hard.



回答2:

There is no way for you to prevent the client side from being manipulated. It is being controlled by the player and he could introduce subtle changes to the client-side application logic that won't be detectable on the server side. The only solution I am aware of is sending all user actions to the server (all at once at the end of the game or continuously while the user is playing) and having the server verify them (recalculate the score). If the actions result in the score that the user claims to have achieved then accept the score. If the actions don't match the score - reject. It will be much harder to generate fake actions that are logically consistent. It won't prevent all cheating techniques however (google for "aiming proxy", something similar might be possible in your game as well).



回答3:

Do this... take your session id from the server, combine it with something in the game and use that as an encryption key, then in your submit data send whatever data you want + a timestamp or something else from the checkpoints in the game

Maybe use SessionID + checkpoint id for the encryption key



回答4:

What about something like this:

  1. Have the server send a nonce - 'hash-signed' by server's secret key and timestamp etc.,
  2. Have a hash based on some internal datastructures + client key and send it to server periodically
  3. Do this over SSL

And @iamkrillin beat me to it...but I am still gonna post it :)