Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^3: A question about web service security

by dHarry (Abbot)
on Aug 05, 2011 at 14:46 UTC ( #918786=note: print w/ replies, xml ) Need Help??


in reply to Re^2: A question about web service security
in thread A question about web service security

It's impractical to interact with server side for every mouth movement/click in a mouth movement/click intensive web game...

Of course it is and I didn't suggested to follow that approach! I assume you keep some sort of state and after finishing a task communicate it to the web server.


Comment on Re^3: A question about web service security
Re^4: A question about web service security
by PerlOnTheWay (Scribe) on Aug 05, 2011 at 15:04 UTC
    The problem rises when you are doing the report, there's no way to check whether it's telling the truth .

      Then you might well have to run a client in the browser. JS / Flash perhaps?

      Of course not. Anybody can always send anything. You can either make sure nothing they can send can be a lie (by not letting them say various things), or accept that your results are full of lies.

      In this case, it sounds well backward that you're somehow letting the client tell you "+/- X refos" rather than "task X completed". But of course how can you be sure that the task is actually completed? Only by calculating it on trusted code (i.e., the server).

      That doesn't mean you have to do it real-time, and it doesn't mean it has to be synchronous either. You could do it on the client, and then at the end roll up all the "things the user did" and send them to the server to double-check. Or send stuff as you go along, but assume it's correct before waiting for the server's response, and only rolling back if the server tells you "no, you're lying".

      But no matter what you do, you can't get around the law:

      Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this.

      Anything code you're running on the user's machine knows, the user knows. Anything it can send to you, the user can send to you, whenever and however often they want. You can try to make it "not worth their time" to do so, but unless you do it by "making nobody care about the results" (which is generally not what you want ;), it's an arms race you're going to lose.

        I doubt there's a single web game(with lots of mouth movement/clicks) that doesn't put anything on the client.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://918786]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (9)
As of 2014-10-31 13:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (217 votes), past polls