This question has probably been asked many many times, however I want to ask anyway.
We are working on a Browser-Based social game / MMOG where players will chat, explore, make friends, and more importantly - buy furniture, clothing, and other virtual goods with credits they have purchased.
We are using SmartFoxServer 2x for the server-side.
Now here are my two questions, if anyone can offer advice or information it would be greatly appreciated.
What steps can be taken to prevent hacking? For example, players being able to inject code or send packets to the server. Give themselves credits, or items, etc.
What steps can be taken to protect the source code and assets?
With SmartFox all of your server code will be quite different from the client code, which is helpful. What you’ll need to do though is be very careful about data validation on the server side.
Don’t trust client in anyway. You can be 100% sure, that either user is so dumb, that false or wrong data will be inputted or user has bad intentions and tryes to hack. Run same algorithms on client and server. If clients value differ from servers value, force it to server state.
Consider client as viewpoint for your game/software. Just like computers monitor, client should just mirror server state at certain place and time.
Don’t ask client, tell the client.
Client can request actions, such as “MOVE FORWARD”, “USE ITEM 5”.
Server checks if move is possible, do action, reply new state.
Server checks if user has item and if its possible to use at this state and if item is legal and such, then use it.
Browser based games usually get bot softwares pretty fast, simply because its easy to code. Avoid tasks that require huge amount of clicking and precise timing or 24/7 gaming. ( thats what computers are good at ).
This is a very generic question that has a very generic answer: Never trust the client, verify everything on the server.
However, this answer doesn’t really give you any specific ideas or implementations, even the replies before mine are mostly generic ideas, nothing bad about the people that wrote them but in general it is very hard to answer this correctly without specific information about the game.
It all depends on the scale of the game (both in terms of the world size, and simultaneous players in one world at any time, etc.) and what type of gameplay (action, role-playing, turn-based, etc.).
For example an MMORPG with a lot of players is very demanding on the server and can not do the same type of checking that an FPS game like Battlefield doe. An FPS usually runs the entire simulation, including physics, on the server also - while an MMORPG usually does not even check very action, but every X action (where X is some random, and varying number) and in general lets the player report it’s position to the server and then does very light verification on that, etc.