With all of the hot discussion about exploits, I want to propose a system that would let us have 100% secured player movement, just like in other games like Fortnite, Overwatch, Cs:GO, COD etc.
To do this, we need complete control of the flow of the simulation of humanoids and physics.
My proposal is that we get given the tools to be able to pause the physics simulation, and be able to move the simulation along manually by calling :Step() on it to wind it forwards the standard 4 milliseconds, and be able to do that as many times in a frame as we require (even if it’s expensive).
This would also require that any Humanoids inside of the simulation process their logic each :Step() as well.
A proposed usage of this system would be as follows:
The server owns all of the players humanoids (or other controllers), with the server having full network ownership of these objects.
Each client has a locally cloned copy of only their character
Each frame on the client (heartbeat), the client winds their local simulation forward 1 :Step(), making their humanoid or controller move forward based on user input. This input would also be sent to the server.
The server would apply this same input to its own authoritative player controller, and call 1 :Step() itself. This would all be replicated to all players as per usual, as the actual authoritative state of the world.
The tricky bit: If the client disagrees with the server about where things should be, the client has to “roll back” to where the server says things were, and then quickly “resimulate” to catch up to where it was, by replaying the remaining unconfirmed inputs. This is the piece that requires us to be able to fast forward the physics simulation with :Step() multiple times on a single frame.
If it all works correctly, players can move around freely and responsively, but all movement belongs to the server and is server authoritative.
(I am glossing over a lot of details here, but this is the core of the algorithm)
Conclusion
If we had this, we would be able to implement completely secured player movement inside of roblox, even when using custom controllers or not even using humanoids. This would go a long way to address the vast majority of game ruining hacks present on the platform.
I thought about this a while before and I think this is a very plausible feature. Exploits revolve around the player (most of the time) and making the server authoritative of the character dissolves many prominent exploits (hitboxes, teleportation, tools, etc.).
Server-sided characters would be a great extra layer of protection, especially for games that don’t revolve around moving collidable objects (so it won’t cause any disagreements).
I would like to bump this again to express interest in this feature. It’s great that we’ve now got pausing physics in studio, and I’d love for this to be added too.
You can already do that. It’s not pretty when the server controls everything because without any client prediction, the movement is very much like gaming was in the 90s where there is a lot of delay in inputs and movement. It solves the exploit issue you mentioned with players cheating movement, teleports, etc., but makes for a terrible gaming experience for everyone else not cheating.
This looks like this is a planned, upcoming feature, as they recently released the ability to pause physics in studio, along with the inclusion of a new method under the WorldRoot class, StepPhysics. Looks like it’s not able to be called in the local or server scope yet.