How to make secured online scoreboard?

[thehtml5dev]

Hi everybody,

Right now I'm developing an HTML5 game which includes online scoreboard. I need to send data like user name, user id and a score itself. The problem there is how to make it secure since any data in http get/post can be changed on the fly. Unfortunately, playing the whole game on server side is not a solution in my case. Links to any tutorials and examples are highly appreciated!

Best wishes

[mattstyles]

Using https gets you a long way towards making it more secure, this doesn't really stop people from 'cheating' their score if they inspect network calls and then try to fake one with an absurdly high score, hence why most online scoreboards for games are garbage.

You could try some other steps like 'initialising' a session when the client hits the 'play a game' button, this would send off a request to the server which responds with an id, you store the id and the time initiated on the server and when you get a 'post this score' request to the server you could try cross-referencing the time with the init time and see if there has even been enough time to accrue such a score, you could even try posting (using that id) during the session (i.e. at the end of each level) to see if that session has a 'reasonable' play time and progression for the given score. Not completely foolproof of course but would make it very tricky to 'fool' the system.

[Antriel]

Without authoritative server, you can only get so far.
You need to hide the score value in memory and apply some sort of encryption when sending the values. That's all just obfuscation though and won't stop anyone (though it should make it difficult enough so it doesn't happen).

Hiding the score value means something like scattering it over multiple places in various forms, to prevent it being easily changeable in CheatEngine (or any other memory hacks). 

Encrypting the sent data could be sending alongside the score also salted hash of it, where the salt calculated and never kept in the memory for long and its generation is heavily obfuscated.

Even with all that, it's still quite simple to find where the score is applied to the salt and then sent, so with the right breakpoint in debugger, cheater could still change it relatively easily. Maybe some sort of clever math function so that the actual score value won't be ever used directly (rather calculated from different sources, where you can check if the resulting value is valid). But that still only makes it a bit harder, not impossible.