question

luisfelixrescoblazquez avatar image
luisfelixrescoblazquez asked

Multiple calls to a ExecuteCloudScript, how to deal with them.

We have a handler that gives free stuff to our user. If any user hack this call could earn free stuff whenever he pleases. How can we deal with this kind of request? How we block the user to perform two handlers at the same time? We can do it via TitleData storage? Can a user store and read data at the same time from two differents handler calls.

Title Data
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Well, there are a few topics on this in the forums (ex: https://community.playfab.com/questions/8637/security-on-updating-statistics-from-client-cloud.html), but specific to the question of multiple calls, that can be tricky.

As a web-based service, the endpoints can be called at any time. And since the majority of client devices are general-purpose computing devices, it's not possible to prevent a hacker from making a valid request using the Session Ticket, and putting any values in the parameters they want to.

So to protect your title, there are a few things you can do, depending on how much security you want to have.

For basic security, you can use Cloud Script to have lightweight server authoritative logic - check max values, time since last update, etc. That doesn't prevent someone from issuing the same call twice, but there are three possible outcomes of that, assuming they're making identical calls in order to get some advantage (extra items, for example), given web latencies:

1. The calls arrive far enough off from each other that the logic of the "second" call is processed after the effect of the first - no negative impact, so nothing you have to do.

2. The calls arrive close enough together that they try to change the same value at the same time, resulting in one of them getting a concurrent edit error. None, or minimal impact (if there were multiple operations and one ran, but the next didn't). See 3 for advice on helping for the minimal impact case.

3. The calls arrive close, but not close enough for 2 to prevent the calls from all running. So the player will have managed to run the logic twice in a row. This may result in them having a negative VC value, which would be easy to segment against, and so auto-ban players (if you're confident that condition should never occur). But also, if you're using custom events to track on when things happen in the game (in addition to all the built-in events), it should be fairly easy to design a query to look for the behaviors you want to avoid.

For a higher level of security, you would want to use a custom game server and use some form of "locking" logic to prevent the player from being on more than one at a time. You could, for example, call GetCurrentGames to make sure the player isn't on any other server, when he joins that server. And in case the player legitimately lost connection to that server, you could just warn them that they have to wait, and re-try after whatever period is the max before your server calls NotifyMatchmakerPlayerLeft on the other machine.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.