Preventing cheating for on-line arcade high score board

Question

I'm going to be developing an online arcade for HTML5/Javascript games written in a to-be-released IDE.

The game will use Ajax requests to the server to record scores when people play these games.

I theoretically have complete control over the design of this, including the mechanics of the code that logs the high scores, game code, everything.

I know it's never impossible to hack client side games such as this or spoof high scores, but I want to make it difficult enough so that anyone competent enough wont be bothered enough to do it (wishful thinking).

I've read:

How can you prevent bogus high scores from appearing on a global high score list?

Which is a slightly different question as this is HTML/JS specific.

My initial idea is that the ajax request checks the source of the request is from the correct location, which is a simple and effective block for most hacking attempts.

Answer 1

As the previous answer stated you cannot trust the client, therefore your best bet is to split a game up into levels of some sort and have the server control level progression. If the server is tracking each client and their progression it can limit the range of scores achievable. This makes it more tedious to cheat as the client has to simulate going through each level and indicate achievement within the correct score range.

Answer 2

Each time you serve the page include a randomly generated key and on the server associate the key with the users session.

pass this key around and manipulate it in obscure ways at various points in your game script.

generate a checksum derived from the score and the manipulated key.

send the checksum to the server along with the score

validate the checksum on the server

obfuscate the script

It won't stop a dedicated hacker though.

Answer 3

Here is one way that is both pretty simple (though not trivial) to implement and very hard to hack and not so simple to hack.

On the server side, have list of let's say 1000 items stored in either text file or database.

Each item will be unique GUID or other unique long string, let's call each item key.

Now, when you send AJAX request send one of those keys as well.. it can be random from the list or by incrementing index it doesn't matter.

Now comes the nice part: after one single "use" of each key (meaning the server got request with that key and responded to it), remove the key from the file/database. If the server get request with key that does not exist in the list, of course throw error or return "no hacking" string.

When the list becomes empty, recreate it with fresh unique keys.

This way the first request with the real key should succeed as usual, but if the user will try calling again to the same request exactly, it will fail. Guessing the keys is also very hard assuming those are long random values.

Like any other way, it's flawed due to depending on client side code that can be spoofed by those who know how. But as it's not common, it will be harder for the common folk to find how this works and hack it.