Zampano

How to prevent manipulation by console commands?

Recommended Posts

Hi again,

I can't really find much about it, but isn't it right that everyone can manipulate variables and call functions of my game via console and therefore cheat very easily? Is there a general way to avoid that ? Because that would be horrible :D

Share this post


Link to post
Share on other sites

@Zampano, why would that make you say that? If the game is fully on the client side then yeah but again, how could a game like that be competitive? If not, then design your architecture to absolutely never trust the input from the client and simplify it. See the client interface as just a way for them to send you commands, no major logic running there. 

Share this post


Link to post
Share on other sites

@Zampano, no major mistake. If the cheating player does that, the interface will indeed show 100HP, even if he has 1HP only.

Now, if they get hit once more, they would die, regardless of what they locally have set. That's because the server is what tells the player whether he is dead or not.

Share this post


Link to post
Share on other sites

Sounds good, but how do I handle it then in the code?
I've got a test file on my server and it doesn't seem to behave like that:

http://media.pixelect.de/SE/t_020617/

You can boost the player by clicking. The player has a certain boost capacity and will fall down if it's used up and have a cooldown. Now if you type player.boost_max = 999999999999 to the console, you can stay in the air like forever...

Share this post


Link to post
Share on other sites

Zampano, all the tips from rich and nesh108 only cover multiplayer games where there is server that manages everything.

What this means is that the Javascript Part (the Phaser Game) that is running in the browser has to connect to a program running on a server and act only as the client. (Such a connection could be made via websocket or continues http request etc.) The server controls the game and only tells the clients what to display and the clients tell the server what the player wants to do. This is much more work than a normal web single player game.

There is no way to stop players in single player client side javascript games from cheating.

Share this post


Link to post
Share on other sites

There are lots (and lots) of books and tutorials covering this subject. Time to get Googling and have a read imho.

The Phaser aspect is irrelevant at the moment, what you need right now is to get the basics down and understand how and what the client and server should be asking of each other.

Share this post


Link to post
Share on other sites

I was able to get a quick overview about the topic and I can work with that. However, due to the concept of my game, an online singleplayer game, it's hard to find specific info on certain aspects. Maybe you've got some more clues for me to go on?

- How would I handle the clients? Would it be better to have the clients handled in one game instance, like in multiplayer games or would I want to set them up in their own instances? Especially with larger numbers of players, I can not really tell, since everything I'm reading seems to handle realtime multiplayer stuff.

- I would need to handle all physics and collisions on the server, right? That would mean I can't rely on the Phaser physics and would need to write my own physics since it doesn't seem to be convenient to have phaser run on the server end, right?

Share this post


Link to post
Share on other sites

I think you're over-complicating it for yourself, but again there are quite a few resources of how to (try to) prevent highscore table hacking and the like.

Personally, I'd just build it and worry about it if it becomes an actual issue.

Share this post


Link to post
Share on other sites

Still, would it in any way be feasible or realistic to have the server do all of the (quite simple) physics or would that be plain impractical as soon as there is a bigger number of players at the same time?

I'm thankful for the advice but at this point I can't really decide if it is worth pursuing further without such information.

Share this post


Link to post
Share on other sites

There's no way to completely block the JS code from the User on the client-side, however there are a few ways to made it harder for them:

  • Uglify the JS as much as possible, so inspecting the code is (close to) meaningless. IIRC you can even uglify the 'top level' so namespaces are obscured. Someone could still use a 'beautifier' to reformat it all, but with no human-readable var names, comments, etc. it'd be an exercise in patience just to work out how your game works. Honestly if you're publishing a game this is the very least  you should do to 'protect' the code.
  • None / little of your code should be publicly accessible from the console anyway. If possible, declare your new Phaser.Game() as a private instance somewhere, that makes it harder for a curious User to inspect the game's current state from the console. 

    IMO it's good practise anyway to make sure you don't extend the window/document object, so it's a good habit to get into. @Zampano just quickly looking at your game, you've declared 'player' as a global variable within Game.js - this is why it's available in the console.

    Maybe you should think about wrapping your .js files with anonymous functions so that all the code within is 'private'. That causes its own problems however, as you still need to expose things like your 'x_player' class globally (or through something like NodeJS imports), so the main Game code can access it later.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.