Spoof-proof Time in Javascript - javascript

I'm working on a web app which must measure the time user needs to do something. I can't simply use javascript time object, because the user may change system time to cheat and fool the app. I'd need some way to prevent this.

I would make the web app send heartbeats or any other form of signals back to the server side. Then you can construct some metrics like duration = end - start
Accounting for the round trip client-server communication, this isn't suitable for ms resolution measurements, obviously.
Note : It's not a good idea to just read the time from a "trusted" web service into your client side app, you can't really guarantee the app wouldn't temper with it. (One of cardinal rules in client side dealings, is to not trust its input, e.g. for validation, you still need server-side validation on top). However if you just send signals to the server, log its timestamp using the server's clock, you are a lot safer.

Calculate time on the server side.
The client user cannot futz with that (at least they should not be able to)

Then you have to do it on the server side. Everything that happens on the client is manipulable.
One way would be to do ajax calls and measure the time in php or other server sided scripts.

A lot of this depends upon what time measurement accuracy you need.
If you are measuring long times (a minute or longer) and just need accuracy to within a minute, then using an ajax call to fetch a remote server time is clearly a more foolproof way than any client-side clock measurements.
If you are trying to measure shorter times in under a minute, then you will need to use the local clock to achieve any sort of accuracy. For that, you can check if the local computer's clock has been messed with using the following type algorithm:
Send a remote request to a server to get the current time. This could be either a publicly available time resource or your own server.
Get the current time on the local computer.
Calculate the offset between those two times. What you are looking for is that there is no significant change in the offset.
Using local computer time, mark the start of the local operation
User does their operation.
Get current time on the local computer to mark the end of the local operation
Get remote time again.
Get the current time on the local computer
Calculate the offset between local and server time. Allowing for a small difference in the amount of time it took to retrieve the remote time, see if the difference is relatively the same as the previously calculated difference. If this difference is not the same, then the local clock has been messed with.
Note, because you can't instantaneously get the remote time (there is always an indeterminate delay time in retrieving it), there is an inherent inaccuracy here of a few seconds in verifying that the local clock has not been messed with. The inaccuracy is not in measuring the local operation, just in verifying that the local clock hasn't been messed with.
So ... this technique works best for detecting clock manipulations that are more than a few seconds, not smaller manipulations.

Related

What is the difference between admin.firestore.Timestamp.now() and admin.firestore.FieldValue.serverTimestamp()?

https://firebase.google.com/docs/reference/js/firebase.firestore.FieldValue.html#servertimestamp
https://firebase.google.com/docs/reference/js/firebase.firestore.Timestamp.html#now
I am not sure I understand the difference. Could someone explain this ?
That is: what difference would I obtain if I just used firebase.firestore.Timestamp.now() as a timestamp property of the object I am about to write instead of firebase.firestore.FieldValue.servertimestamp() ?
I would imagine there are some precision gains ? How much ? Or is it something else ?
Timestamp.now() generates the timestamp using the client machine's clock, which could be wrong, even drastically wrong.
FieldValue.serverTimestamp() encodes a token into the document field that gets translated into a timestamp using the clock on Google's servers whenever the write operation is received (not at the time it was issued from the client). The clock time on all Google services are meticulously guaranteed to be correct, no matter what a malicious user does.
If you absolutely need a correct time, especially one that needs to get checked by security rules using request.time, you should use the server timestamp. If you need the client's clock time, use Timestamp.now(). It's almost always the case that a server timestamp is preferred.

How to securely measure user's time

I want to measure the time it takes for a user to complete a task (answer a quiz). I want to measure it accurately, without the network lag. Meaning, if I measure on the server side the time between 2 requests, it won't be the real time it took the user, because the network time is factored in.
But on the other hand, if I measure in javascript and post the timestamps to the server, the user will be able to see the code, and cheat by sending false timestamps, no?
How can I get the timestamps in javascript and make sure the user doesn't fake it?
Generally in client side code, any question that starts off with "How to securely..." is answered with "Not possible". Nothing, not even putting variables in a closure (because I, the evil cheating user could just change the code on my end and send it back to you).
This is the kind of validation that should be performed server side, even with the disadvantage of network latency.
The trick here would be to measure the time using JavaScript, but also keep track of it using server-side code. That way, you can rely on the timestamps received by the client as long as you enforce a maximum difference between calculated times. I'd say a few seconds should be good enough. However, by doing so, you are creating an additional vector for failure.
Edit: A user could potentially tweak his or her time in their favor by up to the maximum enforced difference if they are able to take advantage of the (lack of) network lag.
I faced same problem while designing an online examination portal for my project.
I went for a hybrid approach.
Get time from server as user loads the page, and starts timer based on javascript. Record the start time in your database.
Let the timer run on client side for some time, say 30 seconds.
Refresh timer by making a AJAX call to server for timer reset as per the time that has passed already.
NOTE: try to use external javascript and obfuscate the code of timer to make guessing difficult.
This way you may not prevent user completely from modifying timer, but you can limit max possible error to 30s.

set javascript time to a specific timestamp

I need to get a uniform javascript time for all clients in our private server. So I want to set the javascript time of a client on initialization to the time of the server.
Right now I am thinking of setting a setInterval that will increment a variable that has a timestamp, but I think it would be too much to have a setInterval running in the back every n milisecond.
So is there a way for me to set the starting time of javascript? so every instance of new Date will be based on that, not the system time of the client?
A difference of 1-2 seconds from the server time is ok but if a difference of milliseconds is achievable then that would be better.
Any suggestions?
Have your server output it's current timestamp, and then calculate the difference between the client timestamp and server timestamp.
<script>
var serverEpoch = 1408602887; // written dynamically by the server
var epochDiff = Math.round(Date.now()/1000)-serverEpoch;
</script>
Now you have the difference between the server time and client time in seconds stored in epochDiff, which you can use for time calculations.
As I mentioned in my comment, this only works if your pages are generated constantly generated rather quickly. If the time can fluctuate (say between 5-2000ms), it would be a better idea getting the server time dynamically from a dedicated, fast script using XMLHttpRequest().

JavaScript: Stable method of updating connected clients variables

I have just stepped into the world of Web Development, and I am developing a small browser game that simply allows connected users to take control of an object (a triangle currently!), and simply move around the screen area.
Currently, I store the clients co-ordinate position in a MySQL database, and update that position using AJAX, roughly 30 times per second.
Other clients positions are also polled roughly 30 times per second.
My problem however, is that this seems to be causing an hour long IP lockout for the client, which I assume is automatically occurring on my Host's end. Would this perhaps be a normal default precautionary action? I was under the impression that 30 AJAX polls in a second was not a particularly stressful amount, however as I mentioned this is a new field for me. I'm fearful I've created some miniscule DOS attack!
If so, I would be grateful if someone with experience in this matter could point me to a more efficient method of handling the kind of interactivity I have described. This is all leading up to a six-month project I will be working on alone for my final year University project, so I'm more than happy to put the extra hours in to learn a better solution.
What you should do is known as "hybrid-polling". Basically you have a long running method server side which is running an "infinite" loop which runs once every 33ms (30 times per second). This loop will shoot data out to a part of your front end if the data has changed. When the data gets to be too large in the buffer for the method to handle, the method exits. The whole time your client is polling to see if new data was written. If the method exits, the client must restart the method. This is a hybrid approach, where the client polling is only checking client side data, except when the method exits, in which case the client must poll again to restart the server method, which then runs once every 33ms and pushes data out to the client.
Look up Comet (compatible with older browsers but not as efficient as possible), BOSH, or Web Sockets (ideal but not compatible with older browsers) for other approaches.

Live countdown clock with django and sql?

If I make a live countdown clock like ebay, how do I do this with django and sql? I'm assuming running a function in django or in sql over and over every second to check the time would be horribly inefficient.
Is this even a plausible strategy?
Or is this the way they do it:
When a page loads, it takes the end datetime from the server and runs a javascript countdown clock against it on the user machine?
If so, how do you do the countdown clock with javascript? And how would I be able to delete/move data once the time limit is over without a user page load? Or is it absolutely necessary for the user to load the page to check the time limit to create an efficient countdown clock?
I don't think this question has anything to do with SQL, really--except that you might retrieve an expiration time from SQL. What you really care about is just how to display the timeout real-time in the browser, right?
Obviously the easiest way is just to send a "seconds remaining" counter to the page, either on the initial load, or as part of an AJAX request, then use Javascript to display the timer, and update it every second with the current value. I would opt for using a "seconds remaining" counter rather than an "end datetime", because you can't trust a browser's clock to be set correctly--but you probably can trust it to count down seconds correctly.
If you don't trust Javascript, or the client's clock, to be accurate, you could periodically re-send the current "seconds remaining" value to the browser via AJAX. I wouldn't do this every second, maybe every 15 or 60 seconds at most.
As for deleting/moving data when the clock expires, you'll need to do all of that in Javascript.
I'm not 100% sure I answered all of your questions, but your questions seem a bit scattered anyway. If you need more clarification on the theory of operation, please ask.
I have also encountered the same problem a while ago.
First of all your problem is not related neither django nor sql. It is a general concept and it is not very easy to implement because of overhead in server.
One solution come into my mind is keeping start time of the process in the database.
When someone request you to see remaingn time, read it from database, subtract the current time and server that time and in your browser initialize your javascript function with that value and countdown like 15 sec. After that do the same operation with AJAX without waiting user's request.
However, there would be other implementations depending your application. If you explain your application in detail there could be other solutions.
For example, if you implement a questionnaire with limited time, then for every answer submit, you should pass the calculated javascript value for that second.

Categories