online test timer: server side or client side? why and how

I am planning to design a online test website to allow user take test. The test should be completed within a given time, for example 30 min, there may be over 100 users taking test at the same time. The timer has to be used to control the time. I would like to know the best way to do it. To my knowledge the timer can be either on the client side (using javascript) or server side (using server side vbscript). Could you tell me which one is best for my situation and how to do it?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you want to reduce the risk of tampering, you should manage the timing on the server.

Not being a cracker, I couldn't tell you how the integrity of the timer could be compromised, but I've no doubt that if you give client systems control of it, someone, somewhere will try to give themselves unlimited time to complete the tests ;-)

I couldn't tell you how to do it with vbscript.
Do both

testing the time on the client side is simply the most easy; that way it is also possible to tell the user that his time is up.
Setting an additional timer on the server helps to check if there was tempering with the client side timer.

i would set the client side timer to 30 minutes (starting when page loads; automaticly send the data to the server when time is up or when user is done).
And set the server timer to 31 minutes; then the user has 60 seconds to load the page; and return the values to the server. if it is more you may detect something is wrong.
You could also store after what amount of time the test was returned (ie: 20 minutes; 30 minutes; 31 minutes; 40 minutes)
Then you can see for yourself (manually) wich one's have been tampered with. (where 31 minutes is probably OK, but 40 minutes is definatly wrong!)
longmatchAuthor Commented:
Dear DrppyNL:
        How do you think the client can change the timer if the timer is set on the client using javascript? Another questioin is how to terminate the test if the server timer is up? I understand that the server can not do anything without user's request. If the server timer is set, then we need to make page request to check the time on the server during the test. but my test question will be sent to users only once, there is no interaction between user and server until the form is submitted (either user hit the SUBMIT button or timer is up). If the server time is used then I need to create a timer table to record all the users' start time, is that right?  Please share your code with me. thanks.

OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

client timer can't be adjusted manually; but it is possible to disable javascript or construct a new html page and post it to the same page as the page you sent to the user.
Thus it is not 100% safe, smart users may do something nasty.

By recording the send-time (time when form was sended to the user) and receipt time (time form was received again by server) you can determine if it was on time or not, without the client user being able to do anything about it!
A simple check to see if the user did something with the javascript or not.

You can't terminate the test when the server determines the time is up, but the server does know that the results came in late! So you can respond to late reply's.
Javascript can terminate the test when the time is up; but that is not a 100% safe solution as stated before.
Thus an extra check can help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
longmatchAuthor Commented:
I came across an idea after surfing on the NET. I would like to use a invisible frame(IF) in my test page, the form in the IF page will be automatically submitted to the server at given interval (15 seconds for example) to check the timer in the server. The form is the test page will automatically submitted when the invisible frame give me answer that the time is up. How do you think?

Hi longmatch,

  As DoppyNL implied, the user can download your page, take your test while offline, go back online, call up a new page, and then submit the finished page.  An invisible frame would make no difference.

  If you do not want to use a server timer, you can assign each page a unique ID -- based on the server date/time and a random number.  If that ID is submitted after X minutes, it is invalid.  

longmatchAuthor Commented:
I put all the questions in a javascript array generated from backend database. Therefore there is only a page during the test. I will have a server timer saved into database when users request the test page. The programming in IF will check the server time againt the current time on the server every fifteen seconds. Once the timer is up, the test form will be automatically submitted. Not sure why my strategy will not work. If the user downloads the test page and takes it offline, the server will not accept his data.

Any other thought?

Hi lm,

how vital is this test?  that is, how much do you really care if the user cheats?  if either answer includes the word 'very',  the server will not know if the returned page is or is not the page requested without an ID. (eg, I could rewrite the first page I request so that the second time I access your site, all subsequent pages are rendered in an iframe; then I could wait 20 minutes and submit the main window (page1) form -- if people can crack Microsoft code, I have no doubt they can handle a simple javascript form.

if the test is not that vital and you are comfortable with X number of cheats, your solution is fine.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Languages and Standards

From novice to tech pro — start learning today.