Should abilities be managed on the server or the client?

Hello, in the past days i tried to make a pvp game but i am strugling with cheat prevention so i was wondering if managing abilities on the server side is good to prevent hacking. These are the pros and cons for client side vs server side that i know but i’m not sure of them so please correct me if i’m wrong

Server side :

1. Pros :

• Prevents hacking

2. Cons :

• Causes lag
• Unresponsive

Client Side :

1. Pros :

• Smooth

2. Cons :

• Can easily be modified / hacked

Depends what kind of abilities. But generally any combat-related feature should be server-sided, otherwise how are you going to deal damage to other players or affect them in any way?

I would handle the input and effects on the client and the rest on the server, if your game isn’t too laggy on the server I’d recommend doing that also.

While server side management is more secure, it can lead to latency issues and unresponsive gameplay. A hybrid approach, combining client side prediction with server side validation, can offer a perfect balance between responsiveness and security. Don’t forget to add some sanity checks in server side to make sure that everything is running as it should be.

Combining the two is a good idea but i fell like it only works if you want to damage the player for example if a player wanted to start an ability i can’t check on the client if the player is on cooldown because hackers can remove it. If i fired a remote function that returns if the player is on cooldown hackers can easily bypass it. (i don’t know if it was clear but i am more than happy to give further explanations)

I think you SHOULD check if the player is on cooldown on the client. When the ability is triggered (by a keybind, say), the client should immidiately check the cooldown so that resources aren’t wasted firing events on the server and having it confirm. Checking cooldown both on the client and server is important. On the client to reduce resources, and on the server to protect against those who bypass the client check.

Anyhow, a hybrid approach for this whole matter seems the best. After receiving inputs on the client, it fires a remote event to the server (after the cooldown/distance/any other necessary check) and the server verifies these factors and deals damage. Then I would have the server fire back to the clients to play any effects.

I think for critical game mechanics it’s essential to ensure that the server has the final word, we can do something like this:

Server side:

• When a player initiates an ability, the client sends a request to the server.
• The server checks whether the player is allowed to use the ability (e.g., not on cooldown, has enough resources, etc.)
• If valid, the server executes the ability and informs the client. If not, the server denies the request and optionally sends feedback to the client.

Client side:

• For a smoother experience, the client can immediately show the ability animation or effect. However, this is purely visual and should not affect the game state.
• The server performs the necessary checks and updates the game state. If the client prediction was incorrect (e.g., the ability was on cooldown), the server corrects the client state.

I think that you should be maintaining cooldowns on the server. I mean when an ability is used, the server starts the cooldown timer. Then the client can show a cooldown timer for the player’s UI, but this is just for display. The server’s cooldown timer is the authoritative source.

But wouldn’t server side ability cause lag ?

I assume using hybrid type of connection is the best approach to minimize the lag on the server side, while securing the critical game mechanics.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.