Getting correct time online?

Solar2D General Questions/Discussion
#1

I want to integrate a secure check for a game which should check the actual time online. For example:

A player can get a gift inside the game each day. To avoid players jumping days on their device by changing the date I want to cross check the actual date online.

Now I wonder if there is some secure best practice how this can be done?

This also is interesting for games where players can “jump” forward for some hours to collect bonuses inside the game and then the game has to catch up with the “jump” time. All this kind of features require a secure online check for the actual time and I wonder how this can be done?

#2

I usually implement that in the following way:

  1. Mark down the epoch time when the last gift was given.

  2. Check locally if the allocated amount of time has passed.

  3. If yes, then check from my own server using a simple PHP script if enough time has indeed passed.

  4. If no, then I know that the user has tampered with their OS time and I can just ignore the request.

  5. If yes, then give the reward and repeat the process.

#3

Thanks for the info!

Can you give a little example on how such a php script can look like?

#4

another alternative, found by googling for “rest get time call”

https://stackoverflow.com/questions/13240530/free-rest-api-to-retrieve-current-datetime-as-string-timezone-irrelevant

#5

Well, what the script would ultimately look like is entirely all up to you. The simplest you could get away with would be:

\<?php date\_default\_timezone\_set("UTC"); echo time(); ?\>

All that this does is set the time to UTC and then output it. You’d be able to get the time from Corona using:

local function networkListener( event ) if ( event.isError ) then print( "Network error: ", event.response ) else print ( "RESPONSE: " .. event.response ) end end network.request( "https://www.yourwebsite.com/getTime.php", "GET", networkListener )

Now, this is a very simplified example and you’d perhaps want to make the script only accept requests that come from your apps. There are a number of ways that you could do this, such as including a password check in the script before providing the time, etc. 

#6

A while ago I put a worldtime feature into Puggle because someone asked a similar question - https://gitlab.com/grahamranson/Puggle/blob/master/systems/worldtime.lua

require( "puggle.core" ) local onComplete = function( time ) print( os.date( "%x", time.unix ) ) end puggle.worldtime:now( onComplete )

This also allows you to check info on past/future dates like this:

require( "puggle.core" ) local onComplete = function( time ) print( time.isDayLightSavingsTime ) end puggle.worldtime:get( onComplete, "gmt", "2004-06-12" )
#7

I find it intriguing that someone set up a service like http://worldclockapi.com/.

It’s great, but odd. @GrahamRanson, do you know whose service that is and what are they getting out of it? They don’t seem to have any authentication, meaning that a popular enough game could make millions of requests to it per day, for free. That service just seems too good to be true and I just can’t believe that it wouldn’t have some trick or limitation to it. :smiley:

#8

the worldtime.lua will crash if in android someone press the back button while it’s making the network.request

the code doesn’t have any protection from that.

if you have access to a server, just do it yourself. it’s level 0 programming skills.

please remember that a server approach obligates the app to be online when giving an gift.

you need to make code also for the gift when player is playing offline when he should receive it and it could not verify.

Also your server could be offline while checking it.

There is another way, and offline. Just don’t give gifts based on time. Give them on goals. :slight_smile:

If you want to give a bonus for example for a limited time, for that you just need to check for the past, not the future. you can do that offline with no problems. If they change the time to the future It works against the cheater, if they  go back in time you just compare to the time you save…

#9

I usually implement that in the following way:

  1. Mark down the epoch time when the last gift was given.

  2. Check locally if the allocated amount of time has passed.

  3. If yes, then check from my own server using a simple PHP script if enough time has indeed passed.

  4. If no, then I know that the user has tampered with their OS time and I can just ignore the request.

  5. If yes, then give the reward and repeat the process.

#10

Thanks for the info!

Can you give a little example on how such a php script can look like?

#11

another alternative, found by googling for “rest get time call”

https://stackoverflow.com/questions/13240530/free-rest-api-to-retrieve-current-datetime-as-string-timezone-irrelevant

#12

Well, what the script would ultimately look like is entirely all up to you. The simplest you could get away with would be:

\<?php date\_default\_timezone\_set("UTC"); echo time(); ?\>

All that this does is set the time to UTC and then output it. You’d be able to get the time from Corona using:

local function networkListener( event ) if ( event.isError ) then print( "Network error: ", event.response ) else print ( "RESPONSE: " .. event.response ) end end network.request( "https://www.yourwebsite.com/getTime.php", "GET", networkListener )

Now, this is a very simplified example and you’d perhaps want to make the script only accept requests that come from your apps. There are a number of ways that you could do this, such as including a password check in the script before providing the time, etc. 

#13

A while ago I put a worldtime feature into Puggle because someone asked a similar question - https://gitlab.com/grahamranson/Puggle/blob/master/systems/worldtime.lua

require( "puggle.core" ) local onComplete = function( time ) print( os.date( "%x", time.unix ) ) end puggle.worldtime:now( onComplete )

This also allows you to check info on past/future dates like this:

require( "puggle.core" ) local onComplete = function( time ) print( time.isDayLightSavingsTime ) end puggle.worldtime:get( onComplete, "gmt", "2004-06-12" )
#14

I find it intriguing that someone set up a service like http://worldclockapi.com/.

It’s great, but odd. @GrahamRanson, do you know whose service that is and what are they getting out of it? They don’t seem to have any authentication, meaning that a popular enough game could make millions of requests to it per day, for free. That service just seems too good to be true and I just can’t believe that it wouldn’t have some trick or limitation to it. :smiley:

#15

the worldtime.lua will crash if in android someone press the back button while it’s making the network.request

the code doesn’t have any protection from that.

if you have access to a server, just do it yourself. it’s level 0 programming skills.

please remember that a server approach obligates the app to be online when giving an gift.

you need to make code also for the gift when player is playing offline when he should receive it and it could not verify.

Also your server could be offline while checking it.

There is another way, and offline. Just don’t give gifts based on time. Give them on goals. :slight_smile:

If you want to give a bonus for example for a limited time, for that you just need to check for the past, not the future. you can do that offline with no problems. If they change the time to the future It works against the cheater, if they  go back in time you just compare to the time you save…