Stop user writing to cookie

Mark wrote on 03 mei 2004 in comp.lang.javascript:

I am designing a game for a forum. When the user has finished playing
I need to save their data to a cookie then navigate to a page which
holds their score data (I can't have both sets of data on the same
page because I can't control the forum design). The score data is
updated with the results held in the cookie and the cookie is deleted.
I need to stop the user just typing for example
javascript:document.cookie="myScore=1000000" into the address bar and
therefore cheating. How can I stop the user updating the cookie
through the address bar, other than through frames/popup window. I
can't think on anyway to do this, as everything I think of has a way
around it.

Clientside is mine, the client, and you cannot steal it from me.

If you want to deny my manipulations,
do serverside storing of the score with user/password authentication.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

*IDEA* use an IFRAME to parse the data between windows rather than a cookie

That will do what I need...

Mark wrote:

*IDEA* use an IFRAME to parse the data between windows rather than a cookie

That will do what I need...

I am sure I can still type something in the Loc bar that will modify my
score.

Brian

Mark wrote:

I am designing a game for a forum. When the user has finished playing
I need to save their data to a cookie then navigate to a page which
holds their score data (I can't have both sets of data on the same
page because I can't control the forum design). The score data is
updated with the results held in the cookie and the cookie is deleted.
I need to stop the user just typing for example
javascript:document.cookie="myScore=1000000" into the address bar and
therefore cheating. How can I stop the user updating the cookie
through the address bar, other than through frames/popup window.

You cannot. This reads like a security related issue, so keep in mind
that you can never reliably prevent information stored client-side from
being manipulated. (And aside from being open to changes as well, you
do no good by using an iFrame.) You need to store the score server-side
like any other information that is subject to security.

Note that if you do this, AIUI you also need to inform the player that
his/her score is being saved on the server and they must agree to that
either before they are allowed to play or before it is saved (i.e. they
must be allowed to prevent their score from being saved/updated, and they
must be allowed to delete that information later). A score is information
related to an individual, so you need their explicit consent. Ref.: Data
protection, duty/obligation of secrecy/confidentiality.
HTH

PointedEars

Thomas 'PointedEars' Lahn wrote:

Mark wrote:

I am designing a game for a forum. When the user has finished playing
I need to save their data to a cookie then navigate to a page which
holds their score data (I can't have both sets of data on the same
page because I can't control the forum design). The score data is
updated with the results held in the cookie and the cookie is deleted.
I need to stop the user just typing for example
javascript:document.cookie="myScore=1000000" into the address bar and
therefore cheating. How can I stop the user updating the cookie
through the address bar, other than through frames/popup window.

You cannot. This reads like a security related issue, so keep in mind
that you can never reliably prevent information stored client-side from
being manipulated. (And aside from being open to changes as well, you
do no good by using an iFrame.) You need to store the score server-side
like any other information that is subject to security.

If it were a security issue, you wouldn't be able to type it in the
address bar and set it yourself. Its only a security issue when a
website is attempting to change it. Otherwise, how is me changing
someone elses cookies a "security issue" to me?
Note that if you do this, AIUI you also need to inform the player that
his/her score is being saved on the server and they must agree to that
either before they are allowed to play or before it is saved (i.e. they
must be allowed to prevent their score from being saved/updated, and they
must be allowed to delete that information later). A score is information
related to an individual, so you need their explicit consent. Ref.: Data
protection, duty/obligation of secrecy/confidentiality.

I find that dubious at best. Too many sites use sessions, set cookies
and transfer data back and forth (do web stats ring a bell?) without
asking for permission, but its personal information about me. Even if
its nothing more than what search engine I might use or what browser
they think I might use.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/

On Tue, 25 May 2004 17:26:57 -0400, Randy Webb
<hi************@aol.com> wrote:

A score is information
related to an individual, so you need their explicit consent. Ref.: Data
protection, duty/obligation of secrecy/confidentiality.

I find that dubious at best. Too many sites use sessions, set cookies
and transfer data back and forth (do web stats ring a bell?) without
asking for permission, but its personal information about me.

It's likely although there's no case law, that within the EU cookies
need to be explicitly accepted, a P3P policy is likely enough
evidence. IANAL etc.

Jim.
--
comp.lang.javascript FAQ - http://jibbering.com/faq/