I have a simple game written in JavaScript and the HTML5 canvas tag. I am using AJAX which sends data to the server and updates the database accordingly. The problem I have is that, I am validating everything on the server side, the user simply sends the ID in the AJAX request and everything happens based on the ID.
This I am happy with, the problem I have is that, users can manipulate data to their liking and send bad data (e.g. send someone else's ID) and the server will deal with that. So what if say, I am on my account and I send the ID to the server as usual and everything is okay, now say someone knows my ID or I tell them and they send that down.
They can both send the ID at the same time and it will work, because the ID to do the task is valid, however two users shouldn't be sending the data to the server.
In my database I have a 'LoginSession' table, which stores the user id, the signed in date, the signed out date and the IP. So when a user has signed in, I have their IP stored.
So the way I intend to tackle this task is to basically, when they send the server the ID, I will check to see if their current IP is the IP they signed in with, if it's not, do stuff.
So to my actual question now, is this a good way to go about doing this? Can their IP change mid-session for any reason or can a user change their IP to match an existing IP? Everything is stored in the DB and everything is validated on the server side, the only problem I have is that basically, users can "multi-log" in and cheat to gain faster points.
You should create a hash when the game session begin, store it as a cookie and use that. It can be based on something like the timestamp and the users actual ID. You can then enforce this using the players IP address. If the hash does not match the IP, challange the user, maybe force the user to login again, or invalidate the old hash and create a new for the user. Making sure that you only have one player providing data for that user.
Also, I wouldn't trust the IP alone, as it can be spoofed, or changed. You also have to take into consideration that many players may share the same IP Address.
You can also retrieve basic details on the clients system (e.g. OS and Browser version) from the User-Agent. When you create the hash store those details along side the IP and anytime one of those details does not match, invalidate the hash. This would force the hacker to not only spoof the IP, but also spoof his browser (or have an identical setup to the client).