3

First of all, I understand this question might be off topic and not in scope of stackoverflow but I still decided to ask since I don't know any other better place.

My question is, if I make an online game based on game engines written in javascript eg CreateJS. The game code is going to be run on the clients machine and since javascript is interpreted, it is viewable by the client.

So if a mutliplayer game is being made where users can compete against each other, what measure are taken to prevent cheating. I'm asking because since the game source is viewable, anyone can simple modify the game source and potentially cheat.

Edit: For the idea of the game, lets make one up which is very simple. Imagine we are making a game like FlappyBird or a game where the further you go in a linear map, the more point you stack up.

At the end of the game, your score is submited via a http request.

Now what is stopping a user from editing the game which causes the points to stack up 10x faster? causing a higher score to be submited?

Edit 2: Or what is stopping the users from submitting a request containing false scores via cURL without ever having to play the game?

Improve this question
6
  • It depends on the game style... Explain better your project please Commented Jun 30, 2014 at 6:57
  • 2
    any game that runs on the client's machine can be modified for cheating. Commented Jun 30, 2014 at 6:58
  • This is not JavaScript related. And you already said it doesn't belong here, there's: security.stackexchange.com Commented Jun 30, 2014 at 6:59
  • "Now what is stopping a user from editing the game which causes the points to stack up 10x faster? causing a higher score to be submited?". You argue on the wrong level. What keeps me from directly sending the score (e.g. via curl) without playing your game? Commented Jun 30, 2014 at 7:02
  • @Prinzhorn yes you can do that also, Ill add it to the question Commented Jun 30, 2014 at 7:03

3 Answers 3

Reset to default
2

Multiplayer games prevent cheating usually by simply verifying the game steps, rather than just the complete game output. Since all other players need to know what other players do, you will have to tell the server every step of the way and let the server "simulate" the game and check if these steps are actually valid or not. The only way to cheat in this case is by writing an AI in your browser that will then produce a feasible set of steps coming to a good result.

You also will have to send these player steps to everyone else. Since in a continuous environment players can perform so many actions per second (e.g. move and turn), you want to make sure to minimize the amount of updates to be sent. E.g. when walking in a straight line, World of Warcraft,for example, only sends an update every 500ms. They might also do not necessarily simulate and verify every single step you take, but only every X steps to avoid people running through walls or jumping over entire buildings etc.

Please note that any fast-paced game will not work well when using AJAX calls. Just setting up a connection can take many times as long as just sending a packet through an established connection. That is why you want to use Websockets in that case.

Of course, minifying and obfuscating your code will put some stones in the ways of a cheater, but depending on the vulnerabilities of your system, they might do very little, since it is usually very easy to find the code that takes care of sending and receiving packets or other core aspects of your game, no matter how well obfuscated it is.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Encrypting score client-side won't change anything if you just have to look at the source code to reproduce this encryption and the key.
This sort of encryption thins out the "score space". Not every score is valid, and unless you know some intrinsic details about the game, you are unable to produce the correct set of all feasible scores.
1

Since you cannot believe your clients, you should make an authoritative server and dumb clients model;

That articles are full of gems for who want implements an multiplayer game

the game state is managed by the server alone. Clients send their actions to the server. The server updates the game state periodically, and then sends the new game state back to clients, who just render it on the screen.

From your point of view, what happened is that you pressed the right arrow but nothing happened for a tenth of a second; then your character finally moved one square to the right. This perceived lag between your inputs and its consequences may not sound like much, but it’s noticeable – and of course, a lag of half a second isn’t just noticeable, it actually makes the game unplayable.

So you must implement a Client-side prediction and a Server reconciliation

Improve this answer

5 Comments

This sounds close to what "big" MMO games do (you lag = nothing happens, then a lot of stuff happens very fast when the client updates itself)
You only need prediction when working in continuous spaces. When working with discrete spaces (i.e. tile-based worlds etc.), you don't need to continuously synchronize and you don't need the server to correct your game steps (or "game deltas").
The main concept never change, clients only call for a command, and only the server have the authority to change the state of game
As I said in my answers, you don't need that for simple games. You can just let the server verify whether your set of steps through the game were valid and reject them if not.
The articles you've linked are pretty good actually! I like your answer +1
1

If you develop a "multiplayer" based game, than you should persist the data on a server, centralized, accessed by ajax within your game.

And you're right, someone could potentially "cheat" by overwriting your code with firebug for example or Greasemonkey before you send your data via a http request (ajax).

In order to prevent this you could load your ajax code for saving data dynamically. You can only prevent it by making it more difficult to overwrite your code. Use for example one-way-token in a virtual session, like the token used in OAuth, like a ticket for a ajax-call. Every other call without the right token should be refuted.

Improve this answer

1 Comment

Then you just have to change some variables using a debugger and wait for the next call.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.