Given a Client Side Game (lets call it game X) and a server side database that stores the high scores how can after the end condition of the game securely sumbit a high score to the server in a way that can only be done if the game was actually played (thus to prevent post hijacking).
Given this problem set here are a few ideas I have been thinking about
** Upon the game start send a session ID that expires after a given amount of time to be sent to the server for verification
the problem is that this could be easily exploited by requesting the start id then just forging the score
** Checkpoints within the game that post to the server to verify the person is actually playing the game
again this could be synthesized with some crafty scripting
What about something like this:
And @iamkrillin beat me to it...but I am still gonna post it :)
Upload a replay of the game and verify the score from that replay on the server. Of course this works only if your game supports replays.
At minimum create a rough log of what's happening ingame and apply some plausibility checks.
You should also add some ingame consistency checks. Else I'll just use a tool like ArtMoney and change the score during the game.
But in the end if the user writes a bot it gets really hard.
Do this... take your session id from the server, combine it with something in the game and use that as an encryption key, then in your submit data send whatever data you want + a timestamp or something else from the checkpoints in the game
Maybe use SessionID + checkpoint id for the encryption key
There is no way for you to prevent the client side from being manipulated. It is being controlled by the player and he could introduce subtle changes to the client-side application logic that won't be detectable on the server side. The only solution I am aware of is sending all user actions to the server (all at once at the end of the game or continuously while the user is playing) and having the server verify them (recalculate the score). If the actions result in the score that the user claims to have achieved then accept the score. If the actions don't match the score - reject. It will be much harder to generate fake actions that are logically consistent. It won't prevent all cheating techniques however (google for "aiming proxy", something similar might be possible in your game as well).