Hi !
I would like to generate passwords in my game level when a level is completed.
I would like to save passwords in database with player ID. How to secure:
(a) code generation algorithm
b) system of sending information from game to server ?
Could you explain more about this?
Need more information to give good advice.
You can use secure websockets.
2 Likes
When you say a password for a game-level … is this more of an in-game password where a hack would only cause in-game issues/loss of points? or is this tied to the player’s account such that a hack would cause problems with the entire user experience/access to the whole game?
3 Likes
I would like to generate promo codes for the store, after the level is completed. E.g. after completing level 1 - 1% discount, after completing level 2 - 2%, etc …
I would like the code generation algorithm to be secure. I do not know if it is better to do it on the server or in the game. I would like to protect myself so that it would not be easy to make a bot which would generate such codes.
I used to do something like this in AS3 - Flash. You could easily check the algorithm in .swf and what flash sends to the server. What you couldn’t do well was secure it.
Generating password on client side never be secure. Even million dollar DRMs & encryptions can be broken. If you have a chance; validate/authenticate the user, generate the psw on server and send back to client securly and de-activate it after it has been used.
4 Likes
That’s right. The question is how to do it fairly safely 
If I send the number of points and some parameters to the server will it be difficult to check what I send ? If someone checks what I send and where, he will be able to generate codes, no matter if he logs in or not.
You can use client authentication(OAuth2) (almost every end point use it like facebook, twitter…) + user auth and hash for your data. You can search for “how to secure api access”
It matters. Without proper authentication, nobody could send a request(they can try but they can’t get the code)
3 Likes
If you generate a seed on the server and then validate all of the user actions on the server when they submit their score + inputs then you can be fairly sure it’s either not cheated or they wrote a clever bot to play the game. If means you need to be able to simulate the game on the server too. This is what some old Flash based games used to do to stop cheaters (mostly). But it’s also complicated to do.
2 Likes
@selimanac I don’t entirely agree with you. The problem is not setting up an account. Someone will set up an account and run the appropriate endpoint. I’ll have information on who did it, but I won’t be able to see 100% if someone did it from in-game or out-of-game cheating.
Setting up an account and run the endpoint isn’t enough. App must be authorized by using client ID and client secret when using OAuth2. But of course this is not a rock solid solution, credentials can be stolen. I suggest that because you ask for “how to do it fairly safely” and this comes to my mind.
As I said before, if something runs on client, it is never safe. It is always possible to change a value from memory. Which means anyone can change the score, level, point on the fly.
This is why @Pkeod’s solution is way better.
1 Like
Thanks !!!