To my knowledge there are two problems.
- Memory hacking - Players can alter the value of gold, for example.
Swf decompilation - Allows hackers to edit your game code.
To solve the first problem, most of the game logic will be controlled by the server. Therefore, if someone gains 25 gold, the server already knows about it. They won't be able to say "I just got 9999 gold" because the server doesn't care. It handles how much gold you get without being told.
To solve the second problem, there are code obfuscaters, but they aren't a 100% guarantee.
So I have a different concept that I'd like to suggest:
What if you use PHP to generate a secret key based on a password and the current time? This secret key is passed to the SFS server AND the client (as a param). It is uniquely created every time the game page is loaded.
When the user logs in, the secret key from the client is sent to the SFS server, and compared with the server's own secret keys. If there is a match, we know that the client was loaded from the original server, and therefore it should be the original client.
If a player were to tamper with the client, they would be hosting it from their own server, and therefore wouldn't receive a legitimate key from MY server. So when it comes time to log in, the secret key cannot be sent, and would of course prevent the player from logging in.
Can anyone poke holes in this theory?