Re: securing web based game

Hi,
I am assuming that the FPS game is against some AI, and not other players online, is this correct? B/c, if it is real-time (it will definitely be slow over HTTP), then you are sending and receiving a lot of data to the client, and in that case, the easy/secure solution is to have the server determine if a point was made.

My guess is that this is a stand-alone flash game that you would like users to play, and then have the score posted back to your server. This means that in you scenario, the client has a one-time download, and then no communication with the server until the game is completed, correct?

In this case, you are facing the age-old question: "what is secure enough?" That is not a question I can answer for you, as you know best the ramifications of someone cheating on your game. The sessionID/hash that you are talking about it a solution that will stop the casual cheater, but not anyone who knows what they are doing, and has 10 minutes to spare.

The problem you are facing is that any logic you put on the client side is going to be somewhat trivial to hack and leverage against you. This is why online games run off a central gaming server/cluster. Again, your security solution here will depend on "what is secure enough" for you.

-tim

• Original Message ----- From: "Tomas" <tomasg@extra.lt> To: <webappsec@securityfocus.com> Sent: Monday, December 23, 2002 2:31 AM Subject: Re: securing web based game

> As far as I understood from your post, whenever game runs on a client-side
Received on Mon Dec 23 13:30:12 2002