About 2 years back, I had conducted an experiment with the Bulls and Cows game[1] [2]. I now wanted to see what the 'human average' for the game is. So I wanted to build a small Facebook application to add the social aspect to the game and conduct my experiments.
But before I continued, I had to solve a major problem.
If I continue to make it a Javascript game, as is hosted here, I need to ensure that the random number generated by the browser is secure and not manipulated or found out by the player using illegal ways.
Anyone who knows a bit of Javascript and is used to looking at code using Firebug will soon be able to 'guess' the number in one step:
Yeah, that's right. I store the random number generated in a variable randomNo. And you can find out the value using Firebug. Now this is fine, as long as it is not a competition and you play the game because you actually like it and not because you are winning a million dollars. But what if this game was being played for money?
So my next attempt was to think of storing a MD5 of the number and then match it with the MD5 of the number entered by the player. This works well as long as the random number is generated on the server side and only the MD5 is sent to the client.
Can the random number and its MD5 be generated on the client side without the user being able to 'debug' and get the random number?
My first attempt towards this was the following piece of code:
function getRandomNo(){ var md5OfRandomNo = MD5(Math.floor(Math.random()*10001)+''); return md5OfRandomNo; }
But unfortunately:
and you step into the function and:
🙁
Right now, I am still not able to find a fool-proof way to generate the random number on the client side. Is there a solution?
Ok, let's say the number is securely generated in some way (client or server) and we only store the MD5 value on the client. Now, there is a second problem:
What if the player just changes the random number altogether?
>>> randomNo "948f847055c6bf156997ce9fb59919be" >>> randomNo = MD5('7839') "ca91c5464e73d3066825362c3093a45f"
We need to maintain a session and include some verification code to ensure that the MD5 was not manipulated.
Is there a solution for this if we want to write the entire game using only Javascript? Are there any other issues other than the 2 described?