I know similar questions to this have been asked before, but I have a problem here that I don’t know how to deal with.
I’m making a game where the mechanics will rely on the user’s reaction speed. A part will be moving back and forth and they need to click to stop it when it is in the middle of the target area.
Stopping it in the right position will give points, being out by even a little bit will reduce the rewards given.
To make sure that network lag doesn’t cause problems I am doing all the part movement in local scripts, I’m detecting the click events there and then know where the part was stopped.
I send that position back to the server via a remote event, and do scoring in server scripts there.
My worry here is that if someone wanted to exploit this they can very easily pass a “perfect” position back through the remote event.
The normal advice here is to do server side validation, but I can’t see any way that I can validate this, there is nothing here that the server can check.
Does anyone have any advice how I can make this a little more secure?
If I we’re you in this situation, I would handle it on client and send the server the packets and save the scores in a table, then check after a couple of attempts and see if there’s any practices such as consistent scores, or impossible positions.
If you’re taking the server method, is the delay of a usual average ping (50-200) enough to ruin their score?
Yes, I have tried doing everything server side and the ping time is enough to cause problems, so I think I’ve no option but to use local scripts.
Yes, I definitely can save each position/score as it comes in, and having logs of what happens is always useful.
I’m not sure how I’d ever validate this though. If someone got 1000 perfect shots in a row, that’s certainly suspicious. So this might be a way to find a dumb exploiter.
But if I was the other side of this and trying to exploit it it would be really easy to just put in a small amount of randomness so that it’s good but not perfect. I think this would be really hard to detect, as it would look very similar to a genuine player.
One way i’d do it, is just fire a remote event over to the server when the user clicks. The server checks where the part is located at currently and just does the logic from there. Lag is always gonna be present you cannot stop that. As long as you arent passing any special and easily avoidable arguments from the client to the server I really dont think this is difficult at all
Keep what you’re doing but validate the position server-side after the player clicks on the part. I see no reason for that to cause significant performance issues.
EDIT: I hadn’t seen but @FactorOfTheThird basically said the same thing.
The problem I have doing this on the server side is that the latency between server and client causes issues with gameplay, especially for any players with bad wifi.
With any sort of lag I will see the part “on target” on my screen, and will click.
In reality on the server the part has moved on by then and is off target, and has moved more by the time my remove event gets back to the server.
This is why for me here server side checks on the position, or trying to move the part on the server are unfortunately not going to work well I don’t think.
Try securing your remotes via a remote key grabbed from an instance inside of ReplicatedStorage, it would be even more secure if every 5 seconds, you regenerated said key.
You could also encode the key in Base64 to make it even more secure.
Like I said, lag is not avoidable, it’s not your problem to make the game adapt to the player’s internet, it’s the whole “prevent exploiting” thing were talking about anyway. There’s no huge latency issue anyway with shooting a remote event and handling physics and whatever else on the server side, they’re just fine solutions. Unless you can moderate your game easily, really theres no other solution to this m8
I know that if I change the movement to be server side, it removes the risk of exploits. However it means that players are affected if they are laggy. Given that the entire mechanic of this game is based on needing fast and accurate reaction speeds, that is a real issue.
If I keep the movement client side then I don’t worry about lag, all players get a good experience with things running fast and accurately, regardless of how good or bad their connectivity is. This makes the game run significantly better.
However this of course introduces the risk of exploits.
What I’m trying to find is a way to keep the client side movement but reduce the exploit risk. I know other games take this client side approach, but are able to do server side sanity checks (e.g. check someone hasn’t shot through a wall, etc.). Unfortunately here I can’t think of any sensible server side checks that would detect exploited calls.
I might consider having a remote that the client fires when they want the part to start moving, and then a remote that the client triggers when they want to click their mouse. When the start event is fired, you move the part locally so there’s no visual lag from their perspective and then on the server you keep track of a position value and every split second you update that value on the server. The server is keeping track of where it thinks the part will be on the client side.
Once they fire the click remote event then the server can use that position it’s been keeping track of to determine how many points the player gets. You won’t have any constant communication between the server and the client and if the exploiter changes the speed it moves on their side then it won’t cause any problems because the server is the authority.
Hey,
can you please tell me how the thing that you want to achieve works, if it’s GuiObject click event in certain time that needs to be reached to player obtain reward?
Sorry if it was there already mentioned.
Regards,
-caviarbro.
Thinking more, i think the problem is that the gameplay here is very simple, so even changing logic and movement to be server side it could still be exploited.
At the moment my plan is to keep logs of games, to check for anything that looks suspicious.
You’ll have issues with that. Ideally you’ll want the player to have network ownership over the part so it moves smoothly rather than the server, so you can’t move both at once.
I’ve been thinking more, and I think here my ‘problem’ is not actually just with security of remote events. I could move everything over to the server, but even if I did that (and forgot about issues with lag) the gameplay mechanic here is pretty simple and so preventing cheating is going to be hard to do.
I think for now I’ll keep movement all client sided, because that keeps everything moving smoothly. I’ll keep logs of what people have done, and if I can detect anything that looks suspicious there I can deal with it.