Server and security

General discussion about LÖVE, Lua, game development, puns, and unicorns.
User avatar
SuperZazu
Citizen
Posts: 56
Joined: Sun Jun 10, 2012 2:06 pm
Location: France
Contact:

Server and security

Post by SuperZazu »

Hello all :)

For my next game, I plan on storing high-scores online, on my webserver. It works like this: when I want to add a score to the online database, I just have to make an HTTP request with some parameters ("score", "username"...).
Everything works. However, anyone could just look at the source and send custom HTTP requests to the server; that means everyone could cheat and send fake scores... How could I avoid that ?

Have a good day,
-- superzazu
User avatar
cohadar
Prole
Posts: 25
Joined: Mon May 04, 2015 5:46 am
Contact:

Re: Server and security

Post by cohadar »

You can't, and it has nothing to do with open-source.
Basically you have untrusted clients and encryption does not provide trust, just communication safety.

Even Blizzard cannot do this, and they have waaay more resources than you.
Unless of course you want to force your users to install "monitoring/protection" software alongside your game.

May I suggest alternative idea:
Instead of high scores, make an achievements API.
That way people have no incentive to cheat, and even if they do, they just lie to themselves.
User avatar
ivan
Party member
Posts: 1915
Joined: Fri Mar 07, 2008 1:39 pm
Contact:

Re: Server and security

Post by ivan »

As cohadar said, it's not a question of making it 'impossible' to cheat - just make it not worth it.
For anonymous hiscores, you can store the IP for each entry and ignore repeated request from that IP for 4-5 minutes.
Last edited by ivan on Wed May 13, 2015 7:45 am, edited 1 time in total.
User avatar
I~=Spam
Party member
Posts: 206
Joined: Fri Dec 14, 2012 11:59 pm

Re: Server and security

Post by I~=Spam »

If it still matters to you one thing you could try is moving some of that code to c/c++ and only distribute the binary form that way it is harder to discover how the scores are sent. But even still you cannot absolutely guarantee that the high scores sent are real.
My Tox ID: 0F1FB9170B94694A90FBCF6C4DDBDB9F58A9E4CDD0B4267E50BF9CDD62A0F947E376C5482610
User avatar
SuperZazu
Citizen
Posts: 56
Joined: Sun Jun 10, 2012 2:06 pm
Location: France
Contact:

Re: Server and security

Post by SuperZazu »

Thank you for your answers ! :-)
User avatar
T-Bone
Inner party member
Posts: 1492
Joined: Thu Jun 09, 2011 9:03 am

Re: Server and security

Post by T-Bone »

For some games, I guess instead of sending the scores you could just send all user input, and then the server simulates the game and calculates the score. That way, a cheater must still "play" (although they may do so by scripting). May not be feasible for complex games, and is almost certainly not worth it, but it could be fun to implement.
User avatar
kikito
Inner party member
Posts: 3153
Joined: Sat Oct 03, 2009 5:22 pm
Location: Madrid, Spain
Contact:

Re: Server and security

Post by kikito »

The simplest way I know for ensuring that highscores are real is that the server knows some game logic.

For example, if you know that level 1's max theoretical score is 1000, then if anyone sends you 10000, that's a fake and you can discard it.

If it takes at least 30 seconds to complete a level and you get two request with the same user id and ip address in less than 30 seconds, you can discard both requests.

You can make the game send you one score per level instead of just one score at the end. If someone sends you a score for level 9 but not for level 8, 7, 6 ... etc, with appropriate rules for each one, you can discard that request too.

You can also put ip addresses into "ice boxes". The first time you detect they sent you bad stuff, you ignore all their request for 1 minute. If they send you bad stuff during that minute, you ignore them for the next 10 minutes. Then 1 hour. Then 2 hours. Then 10 hours. Etc. Until they stop. Some people will play from subnetworks so their public addresses might collide, so you might want to combine the ip address with something else, like the user id or a random id that you create in the game.

All this is not bullet-proof, but it should deter the "obvious" attempts. And it's more straightforward than encryption, which is very tricky. Still, it will take a non-trivial amount of time to implement all of this in the server. I would wait until I had at least a nice beta version of the game working, before starting any of this.
When I write def I mean function.
User avatar
Inny
Party member
Posts: 652
Joined: Fri Jan 30, 2009 3:41 am
Location: New York

Re: Server and security

Post by Inny »

In my experience, releasing the game on the love2d.org forums and simply stating what a regular score at the end should be, gets you pretty legit scores posted by everyone who played it. Sometimes with screenshots.
User avatar
T-Bone
Inner party member
Posts: 1492
Joined: Thu Jun 09, 2011 9:03 am

Re: Server and security

Post by T-Bone »

Inny, your note about screenshots gave me an idea: The client could take a screenshot and send it to the server, which could then use image analysis tools to determine if it seems legit or not. While this can obviously be fooled as well, it could make some things very difficult to do. It could be pretty hard to know what the latter levels are going to look like without playing your way there.
User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: Server and security

Post by Robin »

T-Bone wrote:Inny, your note about screenshots gave me an idea: The client could take a screenshot and send it to the server, which could then use image analysis tools to determine if it seems legit or not.
The image analysis tool would likely be harder to write than something breaking that same tool.
Help us help you: attach a .love.
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests