Sign in to follow this  
Mortanis

Client/Server - how to ensure the right data gets to the right person

Recommended Posts

Lets say I've got a basic Client/Server game setup. I trust the Client with nothing - the Server does all the work and sends back the proper data for the Client to display. After the Client Logs in, though, how do I ensure that someone isn't spoofing another user's data? For example, in an MMO. Player A logs in, gets authenticated, and is tagged with a unique identifying ID. Player A opens their Bank. The Client sends the command to retrieve all bank items tagged with Player A's data. I can't very well pass the identifying ID - that could easily be spoofed. Even if it is encrypted - encryption can be broken. So that's not safe. I thought of filtering by IP. So, Player A logs in and gets authenticated. An entry is written to a Lookup Table containing their player's Unique ID (that relates to all their data), their sessionID (the unique number for tracking the player through the current session), and their IP address. This would still work with NAT, as while the IP's would be the same, the submitted sessionID would be different. And once the session is established, I just junk any requests for data of Session XXYYZZ that's not from the original IP address. But, it seems to me that it would be easy to spoof IP address as well. Now, in this case, a malicious user would have to know both A: a valid person's SessionID, and B: the IP address of the user that correlates to the SessionID. That narrows it down to a specific user: without the IP filtering, the malicious user could just spam possible SessionID's until they got a hit and go to town on the data. Is this a viable solution? Does this make sense? My main focus is web-based programming, so the dynamic nature of real-time network coding is something rather new to me.

Share this post


Link to post
Share on other sites
If someone spoofs a packet, looking like it comes from player A's IP address, saying "send me all items of player A," then you will reply with all A's items to player A. No divulging of secrets to others has happened, although it could be used as a DOS on A's network connection.

As Winterdyne said, session keys pretty much solve the problem of knowing who actually sent a message. Check out my game authentication article for how to design it into a game.

Share this post


Link to post
Share on other sites
Ah.... so when any request is made by any client, I return the data to the IP that was entered into my session lookup table when the user originally logged in and was authenticated, rather than the IP making the request. Perfect... such a simple answer, too.

You guys just made my day. Thanks!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this