Stop user writing to cookie

Re: Stop user writing to cookie

Mark wrote on 03 mei 2004 in comp.lang.javas cript:[color=blue]
> I am designing a game for a forum. When the user has finished playing
> I need to save their data to a cookie then navigate to a page which
> holds their score data (I can't have both sets of data on the same
> page because I can't control the forum design). The score data is
> updated with the results held in the cookie and the cookie is deleted.
> I need to stop the user just typing for example
> javascript:docu ment.cookie="my Score=1000000" into the address bar and
> therefore cheating. How can I stop the user updating the cookie
> through the address bar, other than through frames/popup window. I
> can't think on anyway to do this, as everything I think of has a way
> around it.[/color]

Clientside is mine, the client, and you cannot steal it from me.

If you want to deny my manipulations,
do serverside storing of the score with user/password authentication.



--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: Stop user writing to cookie

*IDEA* use an IFRAME to parse the data between windows rather than a cookie

That will do what I need...

Re: Stop user writing to cookie

Mark wrote:
[color=blue]
> *IDEA* use an IFRAME to parse the data between windows rather than a cookie
>
> That will do what I need...[/color]

I am sure I can still type something in the Loc bar that will modify my
score.

Brian

Re: Stop user writing to cookie

Mark wrote:
[color=blue]
> I am designing a game for a forum. When the user has finished playing
> I need to save their data to a cookie then navigate to a page which
> holds their score data (I can't have both sets of data on the same
> page because I can't control the forum design). The score data is
> updated with the results held in the cookie and the cookie is deleted.
> I need to stop the user just typing for example
> javascript:docu ment.cookie="my Score=1000000" into the address bar and
> therefore cheating. How can I stop the user updating the cookie
> through the address bar, other than through frames/popup window.[/color]

You cannot. This reads like a security related issue, so keep in mind
that you can never reliably prevent information stored client-side from
being manipulated. (And aside from being open to changes as well, you
do no good by using an iFrame.) You need to store the score server-side
like any other information that is subject to security.

Note that if you do this, AIUI you also need to inform the player that
his/her score is being saved on the server and they must agree to that
either before they are allowed to play or before it is saved (i.e. they
must be allowed to prevent their score from being saved/updated, and they
must be allowed to delete that information later). A score is information
related to an individual, so you need their explicit consent. Ref.: Data
protection, duty/obligation of secrecy/confidentiality .


HTH

PointedEars

Re: Stop user writing to cookie

Thomas 'PointedEars' Lahn wrote:
[color=blue]
> Mark wrote:
>
>[color=green]
>>I am designing a game for a forum. When the user has finished playing
>>I need to save their data to a cookie then navigate to a page which
>>holds their score data (I can't have both sets of data on the same
>>page because I can't control the forum design). The score data is
>>updated with the results held in the cookie and the cookie is deleted.
>>I need to stop the user just typing for example
>>javascript:do cument.cookie=" myScore=1000000 " into the address bar and
>>therefore cheating. How can I stop the user updating the cookie
>>through the address bar, other than through frames/popup window.[/color]
>
>
> You cannot. This reads like a security related issue, so keep in mind
> that you can never reliably prevent information stored client-side from
> being manipulated. (And aside from being open to changes as well, you
> do no good by using an iFrame.) You need to store the score server-side
> like any other information that is subject to security.[/color]

If it were a security issue, you wouldn't be able to type it in the
address bar and set it yourself. Its only a security issue when a
website is attempting to change it. Otherwise, how is me changing
someone elses cookies a "security issue" to me?
[color=blue]
> Note that if you do this, AIUI you also need to inform the player that
> his/her score is being saved on the server and they must agree to that
> either before they are allowed to play or before it is saved (i.e. they
> must be allowed to prevent their score from being saved/updated, and they
> must be allowed to delete that information later). A score is information
> related to an individual, so you need their explicit consent. Ref.: Data
> protection, duty/obligation of secrecy/confidentiality .[/color]

I find that dubious at best. Too many sites use sessions, set cookies
and transfer data back and forth (do web stats ring a bell?) without
asking for permission, but its personal information about me. Even if
its nothing more than what search engine I might use or what browser
they think I might use.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/

Re: Stop user writing to cookie

On Tue, 25 May 2004 17:26:57 -0400, Randy Webb
<hikksnotathome @aol.com> wrote:[color=blue][color=green]
>> A score is information
>> related to an individual, so you need their explicit consent. Ref.: Data
>> protection, duty/obligation of secrecy/confidentiality .[/color]
>
>I find that dubious at best. Too many sites use sessions, set cookies
>and transfer data back and forth (do web stats ring a bell?) without
>asking for permission, but its personal information about me.[/color]

It's likely although there's no case law, that within the EU cookies
need to be explicitly accepted, a P3P policy is likely enough
evidence. IANAL etc.

Jim.
--
comp.lang.javas cript FAQ - http://jibbering.com/faq/