Greetings!
I want to work on platforming mechanics. To my knowledge, it’s standard to have user-controlled physics be dealt with locally (e.g. cars, double-jumps etc.), but if the platforming system is integral to the social experience and what-not, how would I actually integrate security in platforming? Any ideas or suggested reads in order to minimize the degree of exploitation in a platforming system?
A good idea would be to have the client ask the server for permission to do something.
Say it was for a double jump. When the user double taps their space bar (hypothetically that’s the key for double jump), before actually performing it, have it send a request to the server asking if it’s allowed to, and the server would check if that jump is physically possible i.e. if the player has already recently double jumped and is still in the air, the answer would be no.
That’s definitely an approach, but would it lag? Asking for permission and what-not requires sending data, so latency could be a factor.
Of course latency and lag would be factors, but it’s really the only way, apart from handing all physics on the server side and having the client request the character’s position every 0.01 seconds, to make sure that the server is in control of what users can do.
Also pretty much any game that involves interacting with the environment (hopefully) has the server verify that any action a user takes is allowed. This is why you can’t run through walls or walk through objects that would otherwise block you by having the client pinky-promise the server that the character is supposed to be there. Albeit that would be something that Roblox handles and not really something you’d need to implement, but the principle is the same.
EDIT: grammar, just woke up.
If you handle input responses like jumping or double jumping on the server, the game will feel unresponsive because of the latency between client and server, and for players with really bad lag be unplayable because their controls don’t correspond to the movements of their character timing-wise. So you should allow the client to control the physics of their character.
You can do some sanity checks on the server though. If somehow the player has reached an unreachable location, maybe reset their character to a last known good position, or kill it, or kick them if you’re really confident that it’s impossible to reach that location. Or check if they’ve moved faster than possible, or if they’re double jumping more often than possible. You can’t make it perfect, but you can do your best.
Any method that involves handling of character physics on the server is unreasonable. It puts undue stress on the server and makes the game unplayable on the client ruining player experience. Character physics should always be handled on the client because it needs to be as responsive as possible.
However, this means that the client can manipulate their physics and do whatever they wish. ROBLOX can not combat this type of exploiting without putting awkward restrictions over game development. For example, say, ROBLOX were to make an anti-flying hack, which would kick everyone whose character floated in the air for more than 5 second. This would instantly compromise most of the admins with a fly command.
But unlike ROBLOX, you can make some assumptions about your game because you know exactly what it is going to be. So think about certain actions that would be impossible to do in your game (floating for extended period of time, moving very quickly, teleporting without registering on server etc), and make server check for those.