1

I am using Fancy WebSockets in Javascript to communicate with my php server for my multiplayer game.

But right now, i just send raw sockets (json) as

Sending: {"command": "login", "data": {"id" : "1575","md5" : "6bd8937a8789a3e58489c4cfd514b1a7","username": "densortekat"}} index.php:58
Sending: {"command": "inroom"} index.php:58
Reciveing: {"command": "roombg","data" : "shop.png"} index.php:83
Reciveing: {"command" : "NEWUSER","data" : { "username" : "densortekat","seat_id" : "29","room_id" : "9"}} index.php:83
Sending: {"command" : "move", "data" : { "seat_id" : "53"}} index.php:58
Reciveing: {"command": "move", "data" : {"username" : "densortekat", "seat_id" : "53"}} index.php:83
Sending: {"command": "request_trade", "data" : "densortekat"} index.php:58
Reciveing: {"command":"trade", "data": {"username":"densortekat"}} index.php:83
Sending: {"command":"ping"}

My question is, how can i from javascript till PHP and the same way PHP->Javascript encrypt the data, so other cannot see what's going on?

kim larsen
  • 5,111
  • 6
  • 19
  • 17

2 Answers2

3

See html5 Websocket with SSL - if your initial page is HTTPS (SSL/TLS), then the websockets on it will be too.

Community
  • 1
  • 1
John Zwinck
  • 239,568
  • 38
  • 324
  • 436
  • Yes i know, but user can still just send {"command":"___something___"} himself and "manipulate" the client->server – kim larsen Feb 17 '13 at 09:29
  • Oh, well I didn't think that was what your question was asking. Perhaps you should reformulate it. – John Zwinck Feb 17 '13 at 09:31
  • @kim: that is the joy of trusting the client. You can come up with obfuscation methods to make cheating more annoying to do, but you will never be able to fix it. Try to draw the boundaries of the client/server relationship to ensure that enough of the critical computation is done on the server to make the game trustworthy. – bobince Feb 17 '13 at 11:36
1

You can't be sure javascript is activated on the client side, but te real problem is, you have no way to know the data you send & receive to the client from the server is dealt with by javascript and not by the user.

I, as a malicious user, can send you data like the one above that I forged myself rather than data that was computed by your js code. There is no way to receive data from a client with any certificate saying "this data was generated by a trusted js VM and not forged/manipulated by a user".

Fabien
  • 12,486
  • 9
  • 44
  • 62