Here is the scenario:
A LocalScript fires a RemoteEvent, and sets a debounce for 10 seconds.
The RemoteEvent gets handled by a ServerScript, it does something, and then sets a debounce for 10 seconds.
Would both of these debounces line up, or is there a chance that the local debounce will be done earlier/later than the server debounce?
The debounce on the server will be delayed by however long it took for the signal to reach the server from the client. If a player is severely lagging then this will only increase that amount of time. Expect delays above 1 second.
The local debounce will, no matter what, finish before the server’s debounce in this case since there is that network threshold you have to cross.
How should I handle the debounce then?
I cant handle the debounce ONLY on the server, since I want a Gui to display how much time is left, and I cant really do the debounce ONLY on the client either, because exploiters can just spam the event
You can use tick() to get the current unix timestamp with two decimal points which is quite accurate. You can send this value over to the server and calculate the end timestamp by taking the current timestamp and adding however many seconds the debounce is. Then for future requests, you can compare the current tick() to the end timestamp in order to determine wether the debounce has finished or not. Network delays do not affect tick() as it is the amount of seconds since Jan. 1st 1970.
Keep in mind: exploiters may send a timestamp that is lower than the current timestamp to avoid the server-side debounce. Implement checks for this but make sure to allow timestamps anywhere from 1.5 to 2 seconds lower to be accepted as to not accidentally reject requests from people with slower connections
Yeah, plus they can just simply change the time on their PC and tick() will change, as it’s based on the date/time of the client. What happens if their clock is just 2.5 seconds off on their PC? Not everyone’s is perfectly in sync. Then you are invalidating real players, and breaking the game entirely for them. What if its 60 seconds off? They just can’t play your game?
You could make it a RemoteFunction, time how long it takes to finish then send that to the server but that shifts the problem elsewhere. Even if you set a custom NumberValue from the server that always has the tick(), you still cant trust the client’s judgement.
A good exploiter could disable your code and send whatever they want whenever they want, with whatever values they want regardless of what you do.
The bottom line is, you cannot trust anything the client tells you, especially when it involves passing a cooldown timer or something to the server which is a solid recipe for messing up some people’s experience, and giving people the ability to abuse your combat, or whatever the cooldown is for.
That’s not a good idea imo.
Edit: tick() and os.time() are sometimes off by 5-15 seconds on the server-side as well. What do you do then?
He needs to set this cooldown on the server and send it to the client (in the form of seconds) for it to truly be secure, albeit innacurate with the laggy folks