i am currently testing out a new system where everything is basically handled by the clients, as this makes things significantly smoother (which i have noticed) and reduces strain. I have also been told it is best to do hit detection client side if the projectile is client side and then just have the client send a remote to the server when it detects collision. I however do not know a secure way of doing sanity checks on the server. The projectiles travel in an arced fashion and so I cannot just do a raycast check and it is more or less an irregular arcing pattern (not really applying any fancy formulae here so I do not know how to predict the path the projectiles travel in). Getting just the magnitude of the explosion to check if it was possible to be hit is also not sufficient (in my own opinion) as it does not handle with the event that a person teleports his projectiles right into other people’s faces. How would i put sanity checks that prevent this type of behavior on the server?
A good way of checking if a client-side detected collision is valid
Is there any way you can “model” the physics on the server to accurately detect hits?
Otherwise, there a few sanity checks you could do if the projectile is not too slow. These could include checking the look vector of the client — was the player roughly facing the direction of the target/projectile trajectory when it was fired (or landed?) That shouldn’t be too latency dependent, because the server would receive the updated LookVector of the character at the same time for a request to fire, so it should be accurate. You could implement something like an “infringement budget” for this if it’s something like only 95% accurate (but I don’t know why it would be). Never kick players if they fail sanity checks (unless it’s something completely insane), just ignore requests. If the player can fire backwards, consider changing this mechanic if possible, or send the direction of the mouse (pretty lousy sanity check, but the more data you collect, the less convenient for someone malicious).
Otherwise, you could send more client-sided projectile information to the server to help make a predictive model. If it’s shooting a gun: things like the launch angle (you can sink the request entirely if the client somehow launches behind them — that’s not possible by a non-malicious client, unless your game allows that). If you collect more data and try to be as predictive as possible on the server, it’s a lot harder for a client to claim a hit out of the blue.
Checking distance could be valid too. What is the velocity of the projectile—can it really hit a target X studs away?
Again though, if you collect more data once the projectile is fired, it’s harder to fake. Each projectile could be tracked on the server using a unique ID