I've been mucking around creating a little multiplayer game using HTML5 technologies. I used Node.js and Socket.IO to manage server-side business.
My problem lies in users being able to enter in their own JavaScript through the Chrome console (and various other consoles im sure). For example, a user might enter this into the console:
socket.emit("new player", {user: username, x: localPlayer.getX(), y: localPlayer.getY()});
This would add a new player to the game. What is the best way I should go about stopping this? Is there a way I can catch these entries and simple deny them (followed by slapping the user around the face)? It would be also good if I could stop them editing things like the GUI by changing variables, eg:
gameStatus = "trolled lol troll client-side editing lol";
Thanks, Joel
I've been mucking around creating a little multiplayer game using HTML5 technologies. I used Node.js and Socket.IO to manage server-side business.
My problem lies in users being able to enter in their own JavaScript through the Chrome console (and various other consoles im sure). For example, a user might enter this into the console:
socket.emit("new player", {user: username, x: localPlayer.getX(), y: localPlayer.getY()});
This would add a new player to the game. What is the best way I should go about stopping this? Is there a way I can catch these entries and simple deny them (followed by slapping the user around the face)? It would be also good if I could stop them editing things like the GUI by changing variables, eg:
gameStatus = "trolled lol troll client-side editing lol";
Thanks, Joel
Share Improve this question edited May 19, 2013 at 18:43 karthikr 99.7k26 gold badges207 silver badges191 bronze badges asked May 19, 2013 at 18:42 jskidd3jskidd3 4,78315 gold badges66 silver badges131 bronze badges 9- 6 You can't. You can never trust anything that es from a client. You need to validate everything on the server. – SLaks Commented May 19, 2013 at 18:44
- 1 @SLaks I think the user is asking how to distinguish requests sent to the server by his script and script written by someone into a console. – user1726343 Commented May 19, 2013 at 18:45
- 3 @Asad: Exactly. That's totally impossible. – SLaks Commented May 19, 2013 at 18:45
- @SLaks So how would you correct the problem? – user1726343 Commented May 19, 2013 at 18:46
- 1 en.wikipedia/wiki/Cheating_in_online_games – SLaks Commented May 19, 2013 at 18:47
3 Answers
Reset to default 12You cannot do that.
You can never trust anything that es from a client.
Even if you could somehow affect the console from your page, an attacker could write his own web browser (read: fork Chromium) and bypass your restrictions.
Or the attacker could simply handcraft HTTP requests without any browser at all.
Instead, you need to validate everything on the server.
Whenever any client does something, the server needs to check whether that client is actually allowed to do that.
As noted by SLaks, there's no way to prevent someone from hacking and it's even more true for a javascript/html client as it is easier. There are ways to discourage or make it harder though as i said in my ment. I am posting more suggestions
- Obfuscate your javascript code
- Use an encryption method and encrypt all your requests to your server before sending them using a key (make it hard to find the key)
- decrypt your request on server side using same encryption method and key as in the javascript client.
What we mean about not trusting what es from client side is doing exactly what you do when you create a form. You usually check post method, session, a unique token unrelated to the meaningful data you are sending - usually a hidden text input created on the server side and checked when form is submited. search validating and sanitizing form. On top of this you should encript the data for sending so it won't be possible to rebuild the structure using the network tab on chrome or firebug or even a proper traffic analyser.