如何在前端游戏中安全提交高分以防止后期劫持
给定一个客户端游戏(我们称之为游戏 X) 和一个存储高分的服务器端数据库,如何在游戏结束后将高分安全地发送到服务器一种只有在实际玩过游戏时才能完成的方法(从而防止后期劫持).
Given a Client Side Game (lets call it game X) and a server side database that stores the high scores how can after the end condition of the game securely sumbit a high score to the server in a way that can only be done if the game was actually played (thus to prevent post hijacking).
鉴于这里设置的这个问题,是我一直在思考的一些想法
** 在游戏开始时发送一个在给定时间后过期的会话 ID 以发送到服务器进行验证
** Upon the game start send a session ID that expires after a given amount of time to be sent to the server for verification
问题在于,这很容易通过请求起始 id 然后伪造分数来利用
** 游戏中的检查点发布到服务器以验证该人是否真的在玩游戏
** Checkpoints within the game that post to the server to verify the person is actually playing the game
这可以通过一些巧妙的脚本合成
推荐答案
上传游戏回放并在服务器上验证回放的分数.当然,这只有在您的游戏支持回放时才有效.
Upload a replay of the game and verify the score from that replay on the server. Of course this works only if your game supports replays.
至少创建一个游戏中发生的事情的粗略日志并应用一些合理性检查.
At minimum create a rough log of what's happening ingame and apply some plausibility checks.
您还应该添加一些游戏内一致性检查.否则,我将只使用 ArtMoney 之类的工具,并在游戏过程中更改分数.
You should also add some ingame consistency checks. Else I'll just use a tool like ArtMoney and change the score during the game.
但最终,如果用户编写一个机器人,那就真的很难了.
But in the end if the user writes a bot it gets really hard.
相关文章