php - How to make a secure game in javascript?

Question

I'm working on games using javascript some html and css, and I was wondering if there was any way to secure the game so that the user can't just call game.php?result=victory to finish the game and earn some point.

As of right now here are the solution I have.

• For a chance game, start the page with the result already in place, win or loose, then just do some animations to show it, but all the score and win/loose stuff is done server-side.

• For a battle game, just get the action from the javascript call, and do the damage calculation, reaction of the oponent on the server and just send back the data.

but the last solution imply that I will have to send actions each time the user do anything. This might work for a turn by turn battle game, but I think it would be to slow for any other kind of game. So my question is, is there some kind of secure way I can prep my javascript to secure the infomation sent.

Answer 1

The only way to make it secure it to have all the calculation and validation occur on the server side. That's how it's done on pretty much all online games. The client can never be trusted in online communication and you must always make sure on the server side that the user is actually doing something valid. (In theory anyway, in practice you have to trust the client somewhat for lag compensation and offloading some noncritical stuff to the client side).

For this reason, javascript is not a very good language for developing an online game, as every action does need to be processed and validated by the server. For other programming languages it is not such a huge problem, because you can build your own communication protocols using TCP/IP for the server and the client. However, for javascript there is no such possibility, because you must rely on the HTTP protocol and the XMLHTTPRequest handlers, which make for a very inefficient live client-server communication.

Like you said, you can always do the interface in javascript, but for security, you still need to perform plenty of stuff on the server side and this certainly doesn't work for games that require more action oriented control. So, you are pretty much limited to turn based games, if you need the security.