koobas.hobune.stream
Validating Server Instances to prevent players fraudulently gaining xp
Not a coding question- more about the theory itself.
When players on a server gain xp, I want to be able to pass that xp gain to my web server and store that increase on there. The code is not the problem; I can write the scripts, but I am trying to figure out how to prevent users from figuring out the web request data that adds xp and abusing it.
My current solution is to verify every request to add xp: (I refer to the unity game as gameserver and my master web server as webserver)
Game server requests verification from web server
Web server returns encrypted, randomly generated code
Game decrypts secret code, appends it to xp addition request, and sends data to webserver re-encrypted
Webserver decrypts data sent and verifies the request's secret code, and passes/fails accordingly.
Is this the best implementation?
It works because only the game and server and game have an encryption key, and a code MUST be obtained from the server, but I'm sure there are better ways. Thanks.
Sorry but if the XP is actually generated by a process / calculation on the client and just told to the server there is no way to prevent cheating, only to make it a bit more difficult. The only reliable way is to have the xp generating code running on the server. There are other ways to make it more difficult to cheat by having the server "supervise" the process of generating xp and doing validation in parallel on the server.
For example there's this famous flash tower defence game called onslaught2. At least at the time i was playing when you submit the highscore to the server you're not only sending the final score but almost everything about your whole game. Where, which towers have been placed, how much money has been spent, how long did the game took, ... The server may do some automated plausibility checks or they are checked by hand if suspicious results has been posted. Though most likely the majority of the top scores has been faked. (The april fools one is obvious, kills and money spent is the max signed integer value 0x7FFFFFFF).
So it doesn't really matter how much efford you put into obfuscating the values that are send to your server, you can never be sure that they haven't been manipulated. Any server communication can be listened to. Any client side code can be reverse engineered / decompiled or manipulated.
If you really want to run the game server instances on a client, you have to give the server some "hints" it can track and verify that the submission is legit. As i said it can still be faked but makes it harder. Just as an example if all major game events of a match are sent to the server in realtime, the server can check the plausability of those events and can set proper bounds for possible xp increases. Though this would require that your server tracks every game from start to finish.
Manually requesting an encryption code from the server is pretty pointless. Just use HTTPS and you get communication security for free. If your game is a webgl game that doesn't help either ^^. FireFox has fantastic network analyse tools built-in which let you inspect and log each and every request.
Since this is all just security through obscurity there is no "best way" since all those ways are bad / not secure.
I definitely plan on executing all the xp calculation on servers hosted by me, only accessible by me. I was just referring to the communication between the account server and game server.
Never trust a client.
Thanks for the Answer, -Harry
Sorry but it wasn't clear that you provide dedicated server(s) run by yourself. This is of course a different case. However you don't need such a complicated request mechanism. If both servers are run by yourself it's almost impossible someone could intercept the communication between those two servers. So all you need is a fix authentication key (that is long enough) that the gameserver uses to authenticate itself to your web interface. In addition you could use an encryption key that both servers know to encrypt the payload of the message. Though this usually isn't neccessary since when using https the datastream is already encrypted. So the only way someone could figure out the authentication key (and the actual web server endpoint) is to get direct access to either your webserver or your game server.
I'm just a bit confused by your statement
I refer to the unity game as gameserver
That make me think you have client hosted servers.
No problem, sorry. I wasn't sure how safe https was alone.
