While we all wish that the server could run every line of code to prevent client hacking, this sadly cannot be the case.
I have been thinking about how to approach client/server interaction protection to prevent cheating in my game.
There are however a few questions I would like to ask regarding this topic:
- What is the general rule of thumb for what/how the server should check? (namely what variety of things should the server check, and should the server check by actually running such processes or by checking the values the client is generating?
- How can a player hack my client? I am confused about this. Can a user specifically go into the client code and tell the client to drop rare items from every object? Can the user directly alter my code or just inject false code snippets?
- What is the best way to maximize security while minimizing/eliminating cheating/hacking
1. for a very good security server do all the physics and check every input packet
From what I heard running physics on the server is very bad idea unless you have a small amount of players or a lot of money.
As far as security goes, it depends on what you can afford, if you have a lot of processing power you can afford to do more checks, otherwise you could trust the players not to cheat and only counter the biggest cheating attempts.
2. How can a player hack my client? I am confused about this. Can a user specifically go into the client code and tell the client to drop rare items from every object? Can the user directly alter my code or just inject false code snippets?
Assuming the strongest hacker in the world is assigned to hacking your game, pretend like he has the source code for your game and can edit it as he wishes.
There are game extensions though, like PunkBuster which try to circumvent hackers from modifying your game client's memory. I don't know how well they work though, but it seems many games use them.
For most indie and free games I wouldn't recommend worrying about security, it's a waste of effort until the game becomes popular where the danger of hacking becomes real.
Depends, if you want to create a mmorpg use clientside players, and nearly no physic and a dumb server, that mostly relays data them only, however still DO health and attack ect stuff on the server, cause it's just to easy to cheat else (WOW uses this system).
If you wan tot create a FPS game make everything serverside (CSS works that way, ut, quake, battlefield)
If it is mixed, then you have the problem to choose wich is the better one.
I was once programming with L2J (Lineage2 Java open-source server), and I have seen how these things are done there. Lineage2 as someone might know is MMORPG, so there is no physics on server, there is only geodata and pathfinding on server (so that each player is checked on move). Also each incoming packet is checked if its data corresponds with data on server and if it can be used in particular moment.
Hopefully it helps a little.
kinda as i said ^^, then,
l2 nearly destroyed one school year for me ^^