[eluser]Falney[/eluser]
Hello. I'm not not going to ask for a piece of code here but merely advice on which way to go.
I'm currently developing a browser based game and the subject of data security popped up. Now, I am in no way a cryptographer, my knowledge in the field is pretty limited and what I need to do is something I've never done before and I'm not even sure if it is in fact, possible.
The browser game uses a lot of Javascript on the application layer and relies on code igniter on the opposite end. It also uses ajax and POST for data communications.
What we are afraid of is people producing a third party page using url's nested in the Javascript UI to inject data and false requests into the game.
Basically, we need an application layer encryption while not providing the encryption key to the user.
One thought I had was to encrypt the URL's to make them unreadable but as you cant call on PHP directly from Javascript, I am unsure how this would be made possible.
Another thought was to send data to an encryption page then send it onto the file that manipulates the data, but this wont be any more secure than not using encryption at all.
Another thought was to introduce handshaking. But again, people can still just use a third party webpage with a simple form.
One idea I'm currently toying with in my head is to include a 1way encryption hash in the URL its self ~ (The game is running through a browser built into another piece of software) ~ an SHA1 hash including the user and the time stamp or something similar. This would require playing with time zones and introduces a lot of variables that could go wrong.
I'm thinking this is likely to be my best bet, I would just like other input into it and see what other people do to get around this.
I'm not trying to make it impossible to do, I know that is a fruitless end ever. But there is no sense in making it easy for players to exploit
So, any suggestions would be greatly appreciated.
