|
WebApp Sec
mailing list archives
Re: securing web based game
From: "Adam [ckkl]" <ckkl () poczta wp pl>
Date: Sun, 22 Dec 2002 18:15:06 +0100
Hi Tomas,
One thing with which i came up is to use unique session IDs and a secret
algorithm to generate "validation string": game takes points, session id
and
generate "validation string", then sends it to server together with
points.
Server uses same algorithm and compares received "validation string" from
user with generated. If they match, then it knows that points are valid.
IMHO if the algorithm is included in a client-side code, then this solution
is equal to INSECURE, because it's a matter of [rather short] time for
reversers to break it, unless you use some sophisticated methods and
anti-* tricks, but it's just the waste of time.
any other ideas?
let the server (instead of client) decide about the points
Just my 5 bolivars...
HTH
Best regards
Adam
 By Date 
By Thread
Current thread:
| 
Intro
