How to make a secure game in javascript?

Question

I'm working on games using javascript some html and css, and I was wondering if there was any way to secure the game so that the user can't just call game.php?result=victory to finish the game and earn some point.

As of right now here are the solution I have.

• For a chance game, start the page with the result already in place, win or loose, then just do some animations to show it, but all the score and win/loose stuff is done server-side.

• For a battle game, just get the action from the javascript call, and do the damage calculation, reaction of the oponent on the server and just send back the data.

but the last solution imply that I will have to send actions each time the user do anything. This might work for a turn by turn battle game, but I think it would be to slow for any other kind of game. So my question is, is there some kind of secure way I can prep my javascript to secure the infomation sent.

Answer 1

You could do some stuff to thwart the naive user, but probably not everybody. It all depends on how motivated the person is to "attack" your game. At the end of the day, the user could use a javascript debugger to see exactly what your code is doing, and replicate it. Even if you send back every game action, the user could still replicate that. If you aren't careful about what actions the user can do, they may be able to send back actions that would be impossible if they were controlling the game with the default control scheme.

Answer 2

There should be no URL for victory. During the game, the client should send the user actions, and if they've won, the server redirects them to the victory page.

No calculating/rewarding should be done on the victory page, if any.

Answer 3

The only way to make it secure it to have all the calculation and validation occur on the server side. That's how it's done on pretty much all online games. The client can never be trusted in online communication and you must always make sure on the server side that the user is actually doing something valid. (In theory anyway, in practice you have to trust the client somewhat for lag compensation and offloading some noncritical stuff to the client side).

For this reason, javascript is not a very good language for developing an online game, as every action does need to be processed and validated by the server. For other programming languages it is not such a huge problem, because you can build your own communication protocols using TCP/IP for the server and the client. However, for javascript there is no such possibility, because you must rely on the HTTP protocol and the XMLHTTPRequest handlers, which make for a very inefficient live client-server communication.

Like you said, you can always do the interface in javascript, but for security, you still need to perform plenty of stuff on the server side and this certainly doesn't work for games that require more action oriented control. So, you are pretty much limited to turn based games, if you need the security.