Preventing Simultaneous Input

[StormTheGates]

Hey all. I run a PHP Game and have been wracking my brain as to how to fix the newest exploit on it.

What the people are doing is opening 2 windows, going to the bank page and simultaneously pressing the Input button(or close to it)

What happens is that the input goes so fast their money essentially doubles and clones. They wind up with 2x in the bank while only loosing what they put in.

Any ideas as to how I could stop this?

[rantsh]

Can you post the URL to your game's site?

[deadonarrival]

I assume you have something to track users online? How about an iframe which auto refreshes every 60 seconds and merely updates the last online time... then when they try to log in, make sure their last online is over 120 seconds ago. That way they can't log in again.

There are other ways such as sticking session_destroy(); at the top of the page - but that wouldnt work if they use a seperate browser. Can't hurt to put that in aswell though!

Erm, other ideas... make a unique login number each time someone logs in: save it in their session data and also insert it into their user file when they log in. Each time they log in a new number is generated and inserted into the session and the database. When a page is opened - check to see if they match. If they don't then session_destroy(); and header("Location:index.php");

[Jessica]

Idea! On page load, generate the timestamp and put it in an array in the session. Then on the processing page, check how many values are in there. This will tell you if they have more than one page open. If they do, don't process it. At the end of the processing, emtpy that array.
so
on the bank page:
$times = $_SESSION['times'];
$times[] = time();
$_SESSION['times'] = $times;

on processing:
if(count($_SESSION['times'] > 1)){
  // Too Many Pages!
}else{
//okay!
}

[StormTheGates]

My game is www.ny-mafia.com

Bank is down atm.

The problem I have encountered with sessions is that the sessions are shared between the browser windows. So if I set something as a variable on one, it is still in play on the other.

[JasonLewis]

why not just open the bank in a popup, so give the popup an id, through java. then in javascript check if the popup is open already. i no its not php, but it might work.

[Jessica]

Out of curiosity, how did you find out the users were doing this?

[StormTheGates]

One of the users came forward and told me. Plus I keep bank logs.

And Iam trying to avoid JS usage because it can be turned off/seen/edited/not on and I dont want the retards that turn it off for some reason to not be able to use it.

[JasonLewis]

don't call them retards, thats a bit harsh. i still think javascript is the best bet, unless some other superpowerful php freaks here can think of something...
just put a note on the bank page, above the link to the popup bank that javascript needs to be installed and enabled to use the bank. simple. if they cant enable it, no bank for them. not your fault. there fault. lol.

[StormTheGates]

Alas then they will just make their own forms, and strip out all the stuff that has to do with JS, and then redirect the form to go to my bank page. :(

[roopurt18]

I'd do the following:

1) First, change your login mechanism so that a user may be logged in once and only once.  This will prevent them from using one window of IE and another of FF, which will then allow you to use $_SESSION to solve the problem.

2) You undoubtedly have a function that handles the form input.  Modify the function like so:
[code]
// At the top of the function
if(isset($_SESSION['lock_bank'])){
  return;
}
$_SESSION['lock_bank'] = true;

// Do the regular processing

// At the bottom of the function
unset($_SESSION['lock_bank']);
[/code]

I guess there is still a risk of two requests being handled at once, although I think it's a much, much smaller risk.  The only other suggestion I could make is to switch the table to type InnoDB and use transactions.