How to Integrate HTML5 Javascript Game with PHP backend (High Security Required)

Question

0.00/5 (No votes)

See more:

Hello Friends :) I know I have been off for a while. Anyways, I am kind of stuck in a problem and I need help from humans 'cause search engine seems to fail to answer my query or maybe I am forging it wrong.

So, my question is:
I have got this game using Javascript and Canvas. All the game logic is in Javascript and its working nicely. But I have been demanded to make a game with which user can bet and win money.
So, first thing is to handle things securely so that no hacker can tamper with game logic (using built in debuggers) and win the game using unfair means.
Secondly, I am looking for a way with which these logics can be implemented in the Server-End using PHP so that I get a better security.
Is there a way with which I can achieve the required level of security. Any little help will also be very helpful. Kindly Share your ideas :) :) :)

Thanks & Regards
Tushar Srivastava #TS

Posted 4-Mar-15 22:23pm

Er. Tushar Srivastava

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Stephen Hewison · Accepted Answer · 2015-03-04T23:13:00

Solution 1

There is no way to stop the user from viewing/debugging your JS code.

You can obfuscate and minimise your code to make it harder to read but harder is not impossible.

The only way to ensure the security of such a game is to make sure all the decisions about awards are done server side.

Suggesting how to do this without understanding the logic of the game is difficult.

But to provide an example. Think about a slot machine game. You pull the virtual leaver, the wheels start spinning and then they stop. The probability of which slots they land on must be server controlled. The amount to award as a prize must be server controlled. The client should become a simple input/output interface with all the logic running on a server. This can make some types of games difficult to produce whilst maintaining security.

The client should only be able to pass a single action to the server. The server must validate the action as valid based on the current state of the game instance. The result is then returned to the client.

At no point should the client be responsible for making any type of decision about prize awards.

Posted 4-Mar-15 23:13pm

Stephen Hewison

Comments

Er. Tushar Srivastava 5-Mar-15 6:15am

Sir, Great Answer :) I just need a quick info. If the game is Tetris. Then can we elaborate as to how game logic can be controlled on server end without creating a time lag.

Stephen Hewison 10-Mar-15 15:55pm

If the game is tetris. I would issue the type of piece from the server. I would then get the client to report it's end position including any lines believed to be complete. (This verification could be asynchronous assuming all moves are audited before the prize is awarded). I would check on the server to make sure the final position and the lines removed were valid for the current board state. I would also put a limit on the time slippage so a user couldn't take longer to position pieces then should be allowed. Although you may need to allow some leniency here to make the game playable.

Stephen Hewison 10-Mar-15 15:57pm

To avoid a time lag, each request from the server could issue a queue of next pieces. I would then issue an update to the queue with each move so you'd have, for instance, up to 5 moves to complete a server request before a lag is introduced.

Er. Tushar Srivastava 17-Apr-15 7:57am

Thank you very much for this great info. Now I can see beyond the horizon. Thank you very much.

Er. Tushar Srivastava 5-Mar-15 6:17am

BTW, how can we implement Abstract Syntax Tree based obfuscation. If you have some reference that will be very helpful :) :) :)

Stephen Hewison 10-Mar-15 16:01pm

The following is a presentation from the OWASP group who are the world leading group in internet/website security. Much of the PCIDSS standard is based on their recommendations. This explains a number of techniques for obfuscating javascript.

http://www.slideshare.net/auditmark/owasp-eu-tour-2013-lisbon-pedro-fortuna-protecting-java-script-source-code-using-obfuscation

Er. Tushar Srivastava 17-Apr-15 7:58am

This is of great help. Thank you very much.