伺服器端的高分榜为Javascript写的游戏 [英] Server-side highscores for a Javascript-written game
问题描述
- 为此目的,我需要最简单的服务器端程序是什么?我不需要一个完整的Web应用程序,只是一些简单的获取POST请求与高分榜,更新数据库并发回列表的分数。我熟悉Django。你的建议是什么?
- 如何使高分表具有合理的安全性?我知道,防御能力和专用的黑客是很困难的,但我不想让任何人访问Javascript源代码,以便能够简单地提交虚构的分数。任何用于此目的的工具?
1。数据库和了解JSON或其他您选择的格式将会执行工作。
但是,如果您熟悉Django,则可以在Django之上构建服务器是最简单的,你必须学习什么,你必须写多少应用程序代码。看起来简单的CGI脚本可能变得相当复杂,如果你从头开始写。
我发现 django-piston 成为一个方便的Django应用程序,可以快速编写一个REST风格的API服务器。它支持JSON,所以应该很容易与JavaScript游戏进行接口。
2。)最休闲的破解者将去一个重播攻击及其变体:窥视页面源并执行JavaScript函数,拦截HTTP请求并重新发送(应该是简单的Firefox插件,如Tamper Data)。
为了抵消前者,您可以模糊源代码和HTTP身份;
- 缩小JavaScript代码
- 使用Base64或其他编码算法对您发送到服务器的消息进行编码
- What is the simplest server-side program I need for this purpose? I don't need a full-fledged "web application", just something simple that gets POST requests with highscores, updates a database and sends back lists of scores. I'm familiar with Django. What are your suggestions?
- How can I make the highscores table reasonably secure? I'm aware that making it bulletproof against competent and dedicated hackers is difficult, but I wouldn't want anyone with access to the Javascript sourcecode to be able to submit fictitious scores too simply. Any tools for this purpose?
- Minify the JavaScript code
- Encode the message you send to the server with Base64 or other encoding algorithm
可以通过要求所有更新请求包含一次性密码(会话令牌在维基百科文章),最近从服务器获取。
I'm implementing a simple game in Javascript, and am interested in having an online highscores table for it, so that players can compete against one another. I've two concerns about this:
1.) Any CGI script that can talk to a database and understand JSON, or other format of your choice, will do the work.
However, if you're familiar with Django, building your server on top of Django would be the most simple, in the sense of what you have to learn and how much application code you have to write. Seemingly simple CGI script can turn out rather complex if you write it from scratch.
I found django-piston to be a handy Django app to quickly write a REST-style API server. It supports JSON so it should be easy to interface with your JavaScript game.
2.) The most casual cracker will go for a replay attack and its variants: peek at the page source and execute a JavaScript function, intercept HTTP requests and resend it (should be easy with a Firefox add-on like Tamper Data).
To counteract the former, you can obfuscate the source code and HTTP body;
The latter can be prevented by requiring all update requests to include an one-time password ("session token" in the Wikipedia article) that was recently acquired from the server.
这篇关于伺服器端的高分榜为Javascript写的游戏的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
