有没有办法阻止最终用户在我的页面中篡改JavaScript游戏代码？ [英] Is there a way to stop end-user tampering with JavaScript game code in my page?

问题描述

我正在考虑创建一个HTML5游戏。我知道很可能没有人会试图欺骗，但我想确定（并且有兴趣查看是否有任何好的技术）。

I am thinking of creating a HTML5 game. I understand that it's probable that no one will try to cheat, but I want to make sure (and am interested to see if there are any good techniques).

我了解拥有开源软件的优势，并希望我的代码能够被阅读和填充。然而，在游戏类型的情况下，用户的分数将被发送到服务器进行存储，我可以看到一个问题，用户可以打开他们的开发工具（大多数浏览器中的F12）并修改脚本或变量中的值给自己一个更高的分数或一百人的生命。我不在乎人们是否这样做，但我不希望他们的分数被存储。

I understand the advantages of having open source software, and would want my code to be read and stuff. However, in a game type situation, where the user's score would be sent to the server to be stored, I can see a problem in that the user can open their devtools (F12 in most browsers) and modify the script or the values in variables to give themselves a higher score or a hundred lives. I don't care if people do this, but I don't want their scores to be stored.

案例分析：Candy Box 2（candybox2.net）带我

Case Study: Candy Box 2 (candybox2.net) took me less than 20 seconds to get 100000000 candies.

有什么方法可以阻止这种情况发生？

Is there any way to stop this from happening?

推荐答案

阻止这种情况发生的最可靠方法是运行所有业务逻辑服务器端，只接受来自浏览器的命令。如果关键变量不驻留在浏览器中（或者浏览器中的副本是缓存副本，并且永远不会被接受为权威），则客户端操作无法执行任何操作，除了可能会自动执行UI操作。

The surest way to stop this from happening is to run all the business logic server-side, only accepting commands from the browser. If the key variables are not resident in the browser (or the copy in the browser is a cached copy and never accepted as authoritative) then client-side manipulation is unable to do anything except perhaps automating UI actions.

如果客户端代码必须进行防篡改，那么您已经丢失了;这种方式在于 PunkBuster ， Valve Anti-Cheat 和其他一些机制通常要求用户让你永久性地在他的机器上安装一个rootkit，这样你就可以通过检查他自己而不是作弊。

If the client code has to be made tamper-resistant, you've already lost; that way lies PunkBuster, Valve Anti-Cheat, and other mechanisms that generally require the user to let you permanently install a rootkit on his machine so you can satisfy yourself by inspection that he's not cheating.

对于我最近使用ASP.Net作为后端工作的一些项目，我发现 SignalR 是一个非常高效的用于JavaScript和动态HTML的Comet 类型通信层，甚至可以利用HTML 5 WebSocket支持（如果可用）。

For some projects I've been working on recently using ASP.Net as a back-end, I've found SignalR to be a very efficient Comet-type communications layer for JavaScript and dynamic HTML, even taking advantage of HTML 5 WebSocket support if available.

这篇关于有没有办法阻止最终用户在我的页面中篡改JavaScript游戏代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！