Is it good practice compare a client value to a server value to prevent cheating?

Vundeq · April 1, 2021, 2:31pm

Hey, ive recently made a module that compares two values, one sent by a client through a remoteevent, and the other the same value but from the servers perspective.

module.VerifyIntegrity = function(a,b,player)
	if a ~= b then
		player:Kick("Not the same.")
		return false
	else
		return true
	end
end

It essentially checks to see if a player has used a cheat to change a value on the client to gain an advantage, and if so it kicks them.

Is this good practice? And are there any situations where this would be deemed insufficient? Thanks.

XdJackyboiiXd21 · April 1, 2021, 2:54pm

Well couldn’t the exploiter just insert a script in that sends a false value to the module script? The best way is to just make the server secure. If they give themself more cash, but can’t use it because the server handles everything, then the exploiter can’t cheat.

Vundeq · April 1, 2021, 2:54pm

the module is called on the server, id have to be quite stupid to do anything security related on the client.

XdJackyboiiXd21 · April 1, 2021, 2:55pm

Well the exploiter could just send a false value through the remote event, the server has now way of knowing if what they sent is a true value.

Vundeq · April 1, 2021, 2:55pm

the server checks the value from the servers perspective, did you even read the post?

XdJackyboiiXd21 · April 1, 2021, 2:56pm

They can send a false value to the server. Like I said above there is no way to check the client’s stats, so you have to secure the server.

HugeCoolboy2007 · April 1, 2021, 2:59pm

I think they’re trying to say that the server will have the real value and the client has to send the value that it has. If the client sent a false value then it’s an exploiter

Vundeq · April 1, 2021, 3:00pm

	FireEvent:FireServer(Tool.Name,Tool:GetAttribute("LoadedAmmo"))

here is the event, it fires the tools name and the ammo value from the clients perspective

on the server, it sees if the object exists at all in the players character, and if so it procedes with looking at the objects value FROM THE SERVER PERSPECTIVE

FireEvent.OnServerEvent:Connect(function(plr,ToolName,ClientLoadedValue)
	local Tool = plr.Character:FindFirstChild(ToolName)
	
	if Tool and SecurityService.VerifyIntegrity(Tool:GetAttribute("LoadedAmmo"),ClientLoadedValue,plr) == true then
		-- good to go
	end
end)

from here the module called on the server compares both the client and server values, and if theyre the same the script proceeds with its task.

dthecoolest · April 1, 2021, 3:41pm

Yep it’s normal and good practice to compare a client value to a server value. This is what FE gun kit does by comparing a module script containing the guns settings being fired on the client and on the server This could be further optimized the amount of data and setting sent though is really high. I believe it’ll catch you some low level exploiter who is playing around with the remote event which should suffice.

However, the issue here is using this method in this context with checking loaded ammo. In context these two values are never synced as the client will always fire the gun first and usually have lower loaded ammo than the server hence it’ll cause false positives and delays.

The usual method for checking if the player is able to reload or more importantly is able to fire is through the leaky bucket method to guarantee a suitable rate limit to avoid spamming the gun while also allowing the reloading to be done on the current to make it smooth and avoid delays. Is this your scenario?