How to make a secure game in javascript?

Question

I\'m working on games using javascript some html and css, and I was wondering if there was any way to secure the game so that the user can\'t just call game.php?result=victo

Answer 1

There should be no URL for victory. During the game, the client should send the user actions, and if they've won, the server redirects them to the victory page.

No calculating/rewarding should be done on the victory page, if any.

Answer 2

Would this be considered an option? (Late answer)

Transfer the critical (stuff you do not want to be hacked), over to a hidden internal flash player, which act both as the critical variable storage, calculator (eg:Life points) and "communicator" to the sever for such game data.

It is definitely more secure then JavaScript. But still; It is always best to assume your client side is 100% not secure. (Even in C++ games, lol : hackers)

However, by transferring the traffic for game data to flash, you are able to utilize some of its more interesting communication functions, eg: P2P =)

Answer 3

The only way to make it secure it to have all the calculation and validation occur on the server side. That's how it's done on pretty much all online games. The client can never be trusted in online communication and you must always make sure on the server side that the user is actually doing something valid. (In theory anyway, in practice you have to trust the client somewhat for lag compensation and offloading some noncritical stuff to the client side).

For this reason, javascript is not a very good language for developing an online game, as every action does need to be processed and validated by the server. For other programming languages it is not such a huge problem, because you can build your own communication protocols using TCP/IP for the server and the client. However, for javascript there is no such possibility, because you must rely on the HTTP protocol and the XMLHTTPRequest handlers, which make for a very inefficient live client-server communication.

Like you said, you can always do the interface in javascript, but for security, you still need to perform plenty of stuff on the server side and this certainly doesn't work for games that require more action oriented control. So, you are pretty much limited to turn based games, if you need the security.

Answer 4

You could do some stuff to thwart the naive user, but probably not everybody. It all depends on how motivated the person is to "attack" your game. At the end of the day, the user could use a javascript debugger to see exactly what your code is doing, and replicate it. Even if you send back every game action, the user could still replicate that. If you aren't careful about what actions the user can do, they may be able to send back actions that would be impossible if they were controlling the game with the default control scheme.

Answer 5

No, there is no way.
What's wrong with sending user actions to the server?