securing a non-authorative server?

Hi all, I'm using Photon Server + Unity C# client to build a social multiplayer turn-based game. The server will be non-authorative (to fit my existing game architecture, as well for better scalability)

Any guidelines or rules for how to secure the non-authorative server? By secure I mean- anything to prevent people from spoofing or rigging the game just by connecting with a photon client and sending forged operation requests?

One idea I had was to include a SHA checksum in an authentication step before the gameplay starts. The checksum which is generated from some stuff like the device + user + salt.

That would hopefully make it rather inconvenient to spoof the custom operation requests. However, someone could still decompile the .NET code and learn what it's doing.

I am aware that non-authorative means that it cannot ever be 100% secure. But there must be different levels of openness?

Thanks

 

Check this out, it really works and non-auth servers are the reason I had to produce this tool:
http://u3d.as/content/ouse-games/secure-client/33Y
http://www.ousegames.com/secure-client/

And yes, nobody can stop hackers from decompiling your code. That's how life is...

 

OK thanks Bruno, that definitely looks useful. Photon also has an encryption layer. I'll use that for handshake and start of session, and then use your SC class for storing important variables, such as opponent state, or the player's score, then I think it will be extremely frustrating for the average ne're-do-well .