koobas.hobune.stream
Networking - Secure RPCs?
Whilst making my multi-user aspect of my game, I was wondering how to make a username and id system - this would be achieved by using RPCs. The system would work by adding a joining player to a list - which hooked up to a IEnumerator with a countdown, once the countdown has finished and the player still remains in the list the player gets kicked. Although the client sends an RPC to the server, which includes the clients data (username and id) - the message, when received - removes the player from the server's list. Now, my question is, can't the player just send a random username and id? This would pose a threat to the server system, as ban system would rely on this information (and it being correct). So, how could I prevent this?
You could use a random hashing method such as $$anonymous$$D5 to jumble up the username.
Then decrypt the username serverside.
I know I could do that, but then the user could jumble up a random username, causing no difference in security. I just want to know how to send a username from a client to the server without possibility of sending a false/random username.
Well, first of all network communication is never "secure". There are many ways of adding additional security to your game / application. The first one is, check the sender of the NetworkMessageInfo inside your RPC. You should store the NetworkPlayer along with the username and id on the server. Now you can determine who sent this RPC. However someone could of course manually implement a modified RakNet client and might be able to fake a certain sender. I'm not sure if that's possible since it depends on how RakNet identifies the sender (IP / uniqueID / ...)
The best bet here is to rely on secret data that is only known to the server and each individual client. So when a client joins your server, the client sends a random generated "key" / hash / GUID to the server. This information should NEVER be send to any other client. If you send this "key" along with your messages, the server can say for sure that the message comes from a certain client.
I'm not sure about your concern about a user sending a random username / id to the server. Data that is unknown or not verified should be discarded anyways ;) You can be even more aggressive and kick a player who sends clearly wrong information.
Ohh and it's always a good idea to randomly delay such a kick (1-10 sec) so a cracker has a hard time to figure out where and when he crossed the border.
