Generate same random number on both client and server in Meteor

Question

Using Meteor, I need a method to generate the same random number on both the client and server, so I can get the benefits of the client method's latency compensation.

I noticed Meteor has a random package: http://docs.meteor.com/#random

I'm not familiar with random number generation or crytography and I don't really understand some of the Meteor documentation for the Random package, so I have some questions.

1. Can I use this package to achieve what I want?
2. If yes, how do I use it to do that? If I use a seed on the client to generate the random number and then send that seed to the server to regenerate the same number, then isn't that implicitly an insecure way to do it... because the client can't be trusted?
3. If no, is there another way to achieve this?

My problem definition in steps...

1. CLIENT: Generate seed
2. CLIENT: Generate random number from seed
3. CLIENT: Send seed to server
4. SERVER: Generate random number from seed
5. Fail... client generated seed can be peeked at and is open to manipulation

The alternative:

1. CLIENT: Ask server for random number
2. SERVER: Generate random number
3. SERVER: Send random number to client
4. Fail... round trip means that you can't take advantage of Meteor's latency compensation

My app needs to repeatedly generate a lot of random numbers, so I'm trying to avoid all these round trips.

Answer 1

What you're trying to do is insecure by nature. If you want security, call the server and wait for a response. The randomiser algorithm is available and sending the seed to the client or to server defeat this silly attempt of defence.

You should never trust data that comes from clients, always validate everything in a environment when you've complete control like your server.

Answer 2

It depends on what kind of thing you want to achieve, if we take the example of a slot machine in a MMO, what is done step by step is this:

1. User clicks on the "Insert Coin" button
2. Server receives a notification the user paid for one play, the result from the play is sent to client
3. The client waits for the user to spin the machine and starts rolling
4. The client shows the result it had received while waiting for user action + animation.

This has one side effect: the result can be known by the user before he even starts spinning the wheel, but after he paid for it.

The problem is that if the user has different options to choose AFTER the random number is picked, he could choose the option with the lowest cost if he finds the number to be a bad one. To remedy to this, each random action needs to have their own number created.

You could see this schema detailed by a user who looked at sources of a game to find out he was "cheated" by the game: Zoot Loot is Not Random

In a flash game called clickerheroes, there are actions producing a random result. Since the game is saved once every couple minutes, and is not backed by a server, the random numbers are generated in advance. This prevents the trick to save, try your luck, load back, retry your luck as the same random number comes back...

Although this does not answer exactly to the OP, I hope it helps in the logic of providing trustworthy randoms to your users.

Answer 3

You can't seed (what you really want to do!) Math.random, and I don't think the Random package has support for it neither. You could use seedrandom.js, and seed it with the same on the server and the client.