Indeed, you really can't trust the client code. You just send code that you would like the client to run. The client can do whatever it likes. If somebody was really attacking you they wouldn't even be using a browser.
On Friday, March 3, 2017 at 5:06:55 AM UTC, gitzzz wrote:
-- As ever it depends what you want to optimise for ;) I can see two main architectural choices:
A - Keep a model/record on the server of the state of the game (so you don't trust any client).
PRO - Simple
CON - Need server side state (so client needs session, need to be careful if load balancing, dies on server crash/restart...)
B - Cryptographic signing of data sent to/from client (e.g. md5sum of server secret + 3,4,5,6, 8 then client sends this back with each request)
PRO - No server state
CON - Easy to break
NB This just gives your server code reliable state of the game, you would still need to sanitise, authenticate and authorise any incoming requests and ensure what they were trying to do is valid within your rules.
I wouldn't worry about optimising too much. It seems very unlikely that any of this would be that CPU, network or disk intensive. If you are having tens of thousands of simultaneous players the challenge would just be about fault tolerance etc.
Cheers
Sam
On Friday, March 3, 2017 at 5:06:55 AM UTC, gitzzz wrote:
Thanks! I meant that I can't trust the client code. For example, we play poker, the server sent 3,4,5,6,8 combination. It's not a win hand and I've decided to send my own data - 3,4,5,6,7. At this point we see that the server should to check/validate sended data with incoming data. But is it optimized? Because there are plenty of such requests and every time I need to check client data.
четверг, 2 марта 2017 г., 14:01:18 UTC+7 пользователь gitzzz написал:Hi! I use RequestBuilder for client-server communication. And I have some questions:
For example we make http request to ".../get.php"(function(), select some data from DB and send it back). Response is an array[1,2,3,4,5]
On client side onTheButtonClick we can change the data, the new_array[1,3,6,8,9], and now we need to send this changes to DB. And onSaveButtonClick() we make http post request to ".../set.php" with parameters = new_array
The question is: does it safe? Is it possible that anybody authed user can make this call by creating JS script with http post request and send his own(fake) data?(e.g. fake_array[10,20,30,23,12]) without clicking a button. How can I send change data from client side to a server safely?
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment