Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > javascript > answers

Stop user writing to cookie

Mark
Guest
  
Posts: n/a
#1: Jul 23 '05
I am designing a game for a forum. When the user has finished playing
I need to save their data to a cookie then navigate to a page which
holds their score data (I can't have both sets of data on the same
page because I can't control the forum design). The score data is
updated with the results held in the cookie and the cookie is deleted.
I need to stop the user just typing for example
javascript:document.cookie="myScore=1000000" into the address bar and
therefore cheating. How can I stop the user updating the cookie
through the address bar, other than through frames/popup window. I
can't think on anyway to do this, as everything I think of has a way
around it.

Evertjan.
Guest
  
Posts: n/a
#2: Jul 23 '05

re: Stop user writing to cookie

Mark wrote on 03 mei 2004 in comp.lang.javascript:[color=blue]
> I am designing a game for a forum. When the user has finished playing
> I need to save their data to a cookie then navigate to a page which
> holds their score data (I can't have both sets of data on the same
> page because I can't control the forum design). The score data is
> updated with the results held in the cookie and the cookie is deleted.
> I need to stop the user just typing for example
> javascript:document.cookie="myScore=1000000" into the address bar and
> therefore cheating. How can I stop the user updating the cookie
> through the address bar, other than through frames/popup window. I
> can't think on anyway to do this, as everything I think of has a way
> around it.[/color]

Clientside is mine, the client, and you cannot steal it from me.

If you want to deny my manipulations,
do serverside storing of the score with user/password authentication.



--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Mark
Guest
  
Posts: n/a
#3: Jul 23 '05

re: Stop user writing to cookie

*IDEA* use an IFRAME to parse the data between windows rather than a cookie

That will do what I need...
Brian Genisio
Guest
  
Posts: n/a
#4: Jul 23 '05

re: Stop user writing to cookie

Mark wrote:
[color=blue]
> *IDEA* use an IFRAME to parse the data between windows rather than a cookie
>
> That will do what I need...[/color]

I am sure I can still type something in the Loc bar that will modify my
score.

Brian
Thomas 'PointedEars' Lahn
Guest
  
Posts: n/a
#5: Jul 23 '05

re: Stop user writing to cookie

Mark wrote:
[color=blue]
> I am designing a game for a forum. When the user has finished playing
> I need to save their data to a cookie then navigate to a page which
> holds their score data (I can't have both sets of data on the same
> page because I can't control the forum design). The score data is
> updated with the results held in the cookie and the cookie is deleted.
> I need to stop the user just typing for example
> javascript:document.cookie="myScore=1000000" into the address bar and
> therefore cheating. How can I stop the user updating the cookie
> through the address bar, other than through frames/popup window.[/color]

You cannot. This reads like a security related issue, so keep in mind
that you can never reliably prevent information stored client-side from
being manipulated. (And aside from being open to changes as well, you
do no good by using an iFrame.) You need to store the score server-side
like any other information that is subject to security.

Note that if you do this, AIUI you also need to inform the player that
his/her score is being saved on the server and they must agree to that
either before they are allowed to play or before it is saved (i.e. they
must be allowed to prevent their score from being saved/updated, and they
must be allowed to delete that information later). A score is information
related to an individual, so you need their explicit consent. Ref.: Data
protection, duty/obligation of secrecy/confidentiality.


HTH

PointedEars
Randy Webb
Guest
  
Posts: n/a
#6: Jul 23 '05

re: Stop user writing to cookie

Thomas 'PointedEars' Lahn wrote:
[color=blue]
> Mark wrote:
>
>[color=green]
>>I am designing a game for a forum. When the user has finished playing
>>I need to save their data to a cookie then navigate to a page which
>>holds their score data (I can't have both sets of data on the same
>>page because I can't control the forum design). The score data is
>>updated with the results held in the cookie and the cookie is deleted.
>>I need to stop the user just typing for example
>>javascript:document.cookie="myScore=1000000" into the address bar and
>>therefore cheating. How can I stop the user updating the cookie
>>through the address bar, other than through frames/popup window.[/color]
>
>
> You cannot. This reads like a security related issue, so keep in mind
> that you can never reliably prevent information stored client-side from
> being manipulated. (And aside from being open to changes as well, you
> do no good by using an iFrame.) You need to store the score server-side
> like any other information that is subject to security.[/color]

If it were a security issue, you wouldn't be able to type it in the
address bar and set it yourself. Its only a security issue when a
website is attempting to change it. Otherwise, how is me changing
someone elses cookies a "security issue" to me?
[color=blue]
> Note that if you do this, AIUI you also need to inform the player that
> his/her score is being saved on the server and they must agree to that
> either before they are allowed to play or before it is saved (i.e. they
> must be allowed to prevent their score from being saved/updated, and they
> must be allowed to delete that information later). A score is information
> related to an individual, so you need their explicit consent. Ref.: Data
> protection, duty/obligation of secrecy/confidentiality.[/color]

I find that dubious at best. Too many sites use sessions, set cookies
and transfer data back and forth (do web stats ring a bell?) without
asking for permission, but its personal information about me. Even if
its nothing more than what search engine I might use or what browser
they think I might use.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/
Jim Ley
Guest
  
Posts: n/a
#7: Jul 23 '05

re: Stop user writing to cookie

On Tue, 25 May 2004 17:26:57 -0400, Randy Webb
<hikksnotathome@aol.com> wrote:[color=blue][color=green]
>> A score is information
>> related to an individual, so you need their explicit consent. Ref.: Data
>> protection, duty/obligation of secrecy/confidentiality.[/color]
>
>I find that dubious at best. Too many sites use sessions, set cookies
>and transfer data back and forth (do web stats ring a bell?) without
>asking for permission, but its personal information about me.[/color]

It's likely although there's no case law, that within the EU cookies
need to be explicitly accepted, a P3P policy is likely enough
evidence. IANAL etc.

Jim.
--
comp.lang.javascript FAQ - http://jibbering.com/faq/
Closed Thread

« previous question | next question »

Similar JavaScript / Ajax / DHTML bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved