in reply to Re^4: A question about web service security
in thread A question about web service security

Of course not. Anybody can always send anything. You can either make sure nothing they can send can be a lie (by not letting them say various things), or accept that your results are full of lies.

In this case, it sounds well backward that you're somehow letting the client tell you "+/- X refos" rather than "task X completed". But of course how can you be sure that the task is actually completed? Only by calculating it on trusted code (i.e., the server).

That doesn't mean you have to do it real-time, and it doesn't mean it has to be synchronous either. You could do it on the client, and then at the end roll up all the "things the user did" and send them to the server to double-check. Or send stuff as you go along, but assume it's correct before waiting for the server's response, and only rolling back if the server tells you "no, you're lying".

But no matter what you do, you can't get around the law:

Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this.

Anything code you're running on the user's machine knows, the user knows. Anything it can send to you, the user can send to you, whenever and however often they want. You can try to make it "not worth their time" to do so, but unless you do it by "making nobody care about the results" (which is generally not what you want ;), it's an arms race you're going to lose.

  • Comment on Re^5: A question about web service security

Replies are listed 'Best First'.
Re^6: A question about web service security
by PerlOnTheWay (Monk) on Aug 05, 2011 at 16:43 UTC
    I doubt there's a single web game(with lots of mouth movement/clicks) that doesn't put anything on the client.

      fullermd is exactly right about your problem. As long as you trust the client you you have a security hole. This is not unique to web games.

      The issue about it coming your page is irrelevant: when it's MY browser, it is trivial for me to to inject my javascript in YOUR page (I do this routinely). What you really want to do is detect if they're running ONLY your javascript and you can't do that remotely. Heck, I'll just call your function to gimme_refos() and have the high score in no time.

      I suspect that most "web games with lots of mouse clicks" don't worry about site wide high score tables for exactly this reason.