What are the best practices for making online high score lists in JavaScript based games? [closed]

Answer 1

On score submit:

1. Request some token from the server, this should be time based and only valid for about 2 seconds
2. Only accept submits that include a valid hash of this token, some salt and the score.

This prevents manual tampering with the request as it would timeout the score. If you want to account for high-latency give it a little more time until the timeout.

The hashing function:

Scramble the hashing function inside packed code (http://dean.edwards.name/packer/ really produces nasty to read code) if you use jQuery or some other library just drop the hashing functionality inside the library file and it gets pretty bad to find, escpecially if you use a function name like "h" :)

Handling the score-variable itself:

Well everybody with a debugging console can change the variable on runtime when doing this but if you encapsulate your whole Javascript inside a function and call it nothing is in the global namespace and it's much harder to get to the variables:

(function() {
  //your js code here
})();

Answer 2

I like to play cheat the cheater - something like using a token to authenticate the score that changes every time the update is called... but I accept the cheat score that gets posted using a duplicate token. Then I display that cheat score to only the cheater, so it appears that it worked, but now the cheater is seeing his results in a sandbox.

Answer 3

I used a system using a time based request having 3 parameters

req number, curr time, score 

The req number is returned from server in the response to the update score request , each time this is a new random value.

The curr time is calculated not from computer clock but from start of game and is synced with server using an ajax request.

Update score request is sent after short intervals (around 30 sec max).

Following checks are applied on the server

Time is within 10 seconds range from the server clock.
there has been not more than 40 seconds since the req number was sent.
the score change sent after 30 seconds is possible (within 2 x humanly possible range)

Score is updated only if the above checks are passed or the user gets a disconnection message :(

This is simpler than most methods and works out to eliminate all casual hackers (well, unless they read this and want to go to the trouble of updating score quickly or making a script of their own).

Answer 4

Record key points in game, then score is submitted with these key points. When people look high scores, they can also see overview of played game, if it looks like it is impossible to play like that without cheating, then people can report these suspicious scores to admins.