koobas.hobune.stream
Validating User Actions on the Server
I am currently working on a networked first person shooter. I have created a server implementation that can synchronize player data. But while implementing a damage system, I realized that I almost simply sent a packet with
PLAYER DAMAGE [target id] [amount]
But that would likely be open for any player to save a list of IDs and inject that packet to damage every ID. Unfortunately the server is unable to know what the environment is like -- meaning it cannot check if there is something between the two players or likewise.
How would I keep this from being possible?
Here's an idea:
1-Once the player connects to the server, have the server to create a Communication Session Token. That token needs to be present on all client communications to be a valid call. If the token is not present, or is not equal to the one stored on the server, discard the communication.
2-Encrypt the data sent to client. Your messages do not look like having much info, so you could encrypt the data sent to your server. Here's an example of using TripleDes encryption.
http://forum.unity3d.com/threads/encryption-to-use-or-not-to-use.199843/
And an example of using Rijndael based encryption
http://stackoverflow.com/questions/10168240/encrypting-decrypting-a-string-in-c-sharp.
That way you could complicate the things for your users for sending communications to your server directly.
@spiceboy9994 I've thought about something like this, but what's stopping them from looking at the server source to find the decryption method, decrypt the outgoing packet, and then just inject their own packet?
How exactly do you think they can "look in the server"?, by "look in the server" I just think a RDP session, which is not possible with unity and unless you grant that access, the users cannot do that. Server code resides there, within compiled code... as dlls or other compiled elements. Those can be obfuscated as well. You cannot download the server code dll easily to check what code the server is executing. The only way they can hack to that method is send a lots of packages to "infer" the decryption method, but that takes time and its not easy to do that. Besides that, you're coding a game right? not a banking solution. I think adding extra security like https channels, transport security and all that kind of stuff, may be overwhel$$anonymous$$g just to prevent cheating. That's my humble opinion.
@spiceboy9994 I would compile the server code and just rely on encoded packets, but my goal is to have a fully modifiable server source.
sorry man... encryption, obfuscation and https chanel communication is absolutely not related with the "fully modifiable" feature on your code. The fully modifiable feature is kind of more related to a good architecture. What is your main backend program$$anonymous$$g skill?, .net?, php?, ruby?
