-1

I am writing a game client/server. I use Artemis-odb and Netty to handle entities and networking. Each registered player is assigned an auto increment ID from the database. This ID is associated wth every client/server event.

I want to prevent the client from easy ID spoofing to stop account hijacking. In theory, what is the best practice to prevent this?

The game/client does not use UUID, but could if this is the best option.

Thank you!

unenergizer
  • 27
  • 9
  • 1
    Don't use only an ID to identify players? There's a lot of options, you can generate tokens, track the IP/MAC address of a player, ... – UnholySheep Apr 02 '17 at 19:09
  • Thank you! Those are excellent ideas I had not considered. I know this post may seem trivial to the individuals who down voted me, but I am new to network programming and this information wasn't discussed in Netty documentation. It's to bad I am expected to be a pro at everything on this website and only ask extremely thought provoking questions. I hope those that thought this question was unworthy realize that at one time they were a beginner also. Sorry rant over. I do sincerely appreciate your help. It means a lot. – unenergizer Apr 02 '17 at 19:25

1 Answers1

1

The player ID should be associated with the network connection context for that player (the socket if you're using TCP or the IP:PORT pair if UDP) on the server.

The client should never need send the ID back to the server since the server should know what the ID is. As long as the server can associate incoming network packets with the player's context, there's no practical risk of spoofing, although I think the risk could be a bit higher with UDP. But again a practical exploit would be unlikely as long as you include sequence numbers with the packets.

I know of no major network games that actually use full UUIDs as player identifiers in client-server protocols.

Krum
  • 460
  • 8
  • 19
  • Thank you! I am still learning and I have not found this information in the Netty documentation. I just know to never trust the client, which is why I thought to ask those with more experience than myself. Sincerely, thank you. – unenergizer Apr 02 '17 at 19:27