javanettytheoryartemis

How to prevent game-client from sending fake player ID?


I am writing a game client/server. I use Artemis-odb and Netty to handle entities and networking. Each registered player is assigned an auto increment ID from the database. This ID is associated wth every client/server event.

I want to prevent the client from easy ID spoofing to stop account hijacking. In theory, what is the best practice to prevent this?

The game/client does not use UUID, but could if this is the best option.

Thank you!


Solution

  • The player ID should be associated with the network connection context for that player (the socket if you're using TCP or the IP:PORT pair if UDP) on the server.

    The client should never need send the ID back to the server since the server should know what the ID is. As long as the server can associate incoming network packets with the player's context, there's no practical risk of spoofing, although I think the risk could be a bit higher with UDP. But again a practical exploit would be unlikely as long as you include sequence numbers with the packets.

    I know of no major network games that actually use full UUIDs as player identifiers in client-server protocols.