How to securely submit a high score in a front end

2020-06-08 03:43发布

Given a Client Side Game (lets call it game X) and a server side database that stores the high scores how can after the end condition of the game securely sumbit a high score to the server in a way that can only be done if the game was actually played (thus to prevent post hijacking).

Given this problem set here are a few ideas I have been thinking about

** Upon the game start send a session ID that expires after a given amount of time to be sent to the server for verification

the problem is that this could be easily exploited by requesting the start id then just forging the score

** Checkpoints within the game that post to the server to verify the person is actually playing the game

again this could be synthesized with some crafty scripting

4条回答
太酷不给撩
2楼-- · 2020-06-08 03:48

What about something like this:

  1. Have the server send a nonce - 'hash-signed' by server's secret key and timestamp etc.,
  2. Have a hash based on some internal datastructures + client key and send it to server periodically
  3. Do this over SSL

And @iamkrillin beat me to it...but I am still gonna post it :)

查看更多
我想做一个坏孩纸
3楼-- · 2020-06-08 03:50

Upload a replay of the game and verify the score from that replay on the server. Of course this works only if your game supports replays.

At minimum create a rough log of what's happening ingame and apply some plausibility checks.

You should also add some ingame consistency checks. Else I'll just use a tool like ArtMoney and change the score during the game.

But in the end if the user writes a bot it gets really hard.

查看更多
劳资没心,怎么记你
4楼-- · 2020-06-08 03:55

Do this... take your session id from the server, combine it with something in the game and use that as an encryption key, then in your submit data send whatever data you want + a timestamp or something else from the checkpoints in the game

Maybe use SessionID + checkpoint id for the encryption key

查看更多
冷血范
5楼-- · 2020-06-08 03:57

There is no way for you to prevent the client side from being manipulated. It is being controlled by the player and he could introduce subtle changes to the client-side application logic that won't be detectable on the server side. The only solution I am aware of is sending all user actions to the server (all at once at the end of the game or continuously while the user is playing) and having the server verify them (recalculate the score). If the actions result in the score that the user claims to have achieved then accept the score. If the actions don't match the score - reject. It will be much harder to generate fake actions that are logically consistent. It won't prevent all cheating techniques however (google for "aiming proxy", something similar might be possible in your game as well).

查看更多
登录 后发表回答