Solved

online test timer: server side or client side? why and how

Posted on 2003-11-16
8
516 Views
Last Modified: 2010-04-06
I am planning to design a online test website to allow user take test. The test should be completed within a given time, for example 30 min, there may be over 100 users taking test at the same time. The timer has to be used to control the time. I would like to know the best way to do it. To my knowledge the timer can be either on the client side (using javascript) or server side (using server side vbscript). Could you tell me which one is best for my situation and how to do it?

LM
0
Comment
Question by:longmatch
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 15

Expert Comment

by:jimmack
Comment Utility
If you want to reduce the risk of tampering, you should manage the timing on the server.

Not being a cracker, I couldn't tell you how the integrity of the timer could be compromised, but I've no doubt that if you give client systems control of it, someone, somewhere will try to give themselves unlimited time to complete the tests ;-)

I couldn't tell you how to do it with vbscript.
0
 
LVL 6

Expert Comment

by:DoppyNL
Comment Utility
Do both

testing the time on the client side is simply the most easy; that way it is also possible to tell the user that his time is up.
Setting an additional timer on the server helps to check if there was tempering with the client side timer.

i would set the client side timer to 30 minutes (starting when page loads; automaticly send the data to the server when time is up or when user is done).
And set the server timer to 31 minutes; then the user has 60 seconds to load the page; and return the values to the server. if it is more you may detect something is wrong.
You could also store after what amount of time the test was returned (ie: 20 minutes; 30 minutes; 31 minutes; 40 minutes)
Then you can see for yourself (manually) wich one's have been tampered with. (where 31 minutes is probably OK, but 40 minutes is definatly wrong!)
0
 
LVL 1

Author Comment

by:longmatch
Comment Utility
Dear DrppyNL:
        How do you think the client can change the timer if the timer is set on the client using javascript? Another questioin is how to terminate the test if the server timer is up? I understand that the server can not do anything without user's request. If the server timer is set, then we need to make page request to check the time on the server during the test. but my test question will be sent to users only once, there is no interaction between user and server until the form is submitted (either user hit the SUBMIT button or timer is up). If the server time is used then I need to create a timer table to record all the users' start time, is that right?  Please share your code with me. thanks.


LM
0
 
LVL 6

Accepted Solution

by:
DoppyNL earned 25 total points
Comment Utility
client timer can't be adjusted manually; but it is possible to disable javascript or construct a new html page and post it to the same page as the page you sent to the user.
Thus it is not 100% safe, smart users may do something nasty.

By recording the send-time (time when form was sended to the user) and receipt time (time form was received again by server) you can determine if it was on time or not, without the client user being able to do anything about it!
A simple check to see if the user did something with the javascript or not.

You can't terminate the test when the server determines the time is up, but the server does know that the results came in late! So you can respond to late reply's.
Javascript can terminate the test when the time is up; but that is not a 100% safe solution as stated before.
Thus an extra check can help.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:longmatch
Comment Utility
I came across an idea after surfing on the NET. I would like to use a invisible frame(IF) in my test page, the form in the IF page will be automatically submitted to the server at given interval (15 seconds for example) to check the timer in the server. The form is the test page will automatically submitted when the invisible frame give me answer that the time is up. How do you think?

LM
0
 
LVL 15

Expert Comment

by:VincentPuglia
Comment Utility
Hi longmatch,

  As DoppyNL implied, the user can download your page, take your test while offline, go back online, call up a new page, and then submit the finished page.  An invisible frame would make no difference.

  If you do not want to use a server timer, you can assign each page a unique ID -- based on the server date/time and a random number.  If that ID is submitted after X minutes, it is invalid.  

Vinny
0
 
LVL 1

Author Comment

by:longmatch
Comment Utility
I put all the questions in a javascript array generated from backend database. Therefore there is only a page during the test. I will have a server timer saved into database when users request the test page. The programming in IF will check the server time againt the current time on the server every fifteen seconds. Once the timer is up, the test form will be automatically submitted. Not sure why my strategy will not work. If the user downloads the test page and takes it offline, the server will not accept his data.

Any other thought?

lm
0
 
LVL 15

Expert Comment

by:VincentPuglia
Comment Utility
Hi lm,

how vital is this test?  that is, how much do you really care if the user cheats?  if either answer includes the word 'very',  the server will not know if the returned page is or is not the page requested without an ID. (eg, I could rewrite the first page I request so that the second time I access your site, all subsequent pages are rendered in an iframe; then I could wait 20 minutes and submit the main window (page1) form -- if people can crack Microsoft code, I have no doubt they can handle a simple javascript form.

if the test is not that vital and you are comfortable with X number of cheats, your solution is fine.

Vinny
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Article by: Matthew
I am a very big proponent of technology compliance standards and strive to meet such criteria in all of my work. That includes my site, which is 100% XHTML 1.0 compliant as determined by the World Wide Web Consortium. https://www.matthewstevenkel…
SASS allows you to treat your CSS code in a more OOP way. Let's have a look on how you can structure your code in order for it to be easily maintained and reused.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now