I know this is impossible, but how close can I get?
I’m creating achievements, and when a user ‘gets the achievement’ his browser tells him with a javascript popup, and sends a message to the server to update his profile.
I’d rather not have my users be able to just hit the webservice and get all the achievements. Signing the requests with a private key is better, but it would have to be stored in the .js file and then easily sniffed. I could obfuscate it, or do a unique one per user. And timestamp the requests.
Any better suggestions?
As the original question acknowledges, I think this is basically impossible in
situations where it’s really hard to get the server to rerun what the client did.
(eg. a platform game with close timing)
Obfustication’s probably your best bet. First off do a bit of crypto and include
timing information – use public/private key per user. That gets rid of the basic
traffic sniffing/replay. Obfusticate the client code too so they at least have to
put some effort into decoding it. I’d say that’d probably eliminate 99% of the
people trying to cheat. Until that last 1% writes a firefox add-on to unlock
achievements and gives it to the other 99% at least.
Beyond that, well, don’t have achievements reward them with anything important.