I’ve been developing an FPS game for quite some time . I’ve so far accomplished many optimizations and the game had gained most of it’s functionality. Although, I believe security is still lacking.
Weapons in this game rely mostly on the client, this includes casting bullets. I consider this quite vulnerable at the moment since an exploiter can easily fake rays, and the server would still believe it.
I thought of a procedure to, perhaps, make it less vulnerable by verifying that ray on the server:
Client casts ray, hits another player, fires a remote.
Server receives it, casts another ray between the player and it’s target to see if any surroundings block the shot.
NOTE: The ray that is cast on the server does not check if it had hit the player or not, it will only check on other objects such as walls and props.
So we may come to the main question: Would any part of this method, potentially struggle the server, when done many times at once?
Of course, I don’t mean a ridiculous amount, although I would say it would be at max 50 rays per second.
Honestly, I don’t see a difference in doing this on server only because you are casting a ray on the server afterall. However many rays being casted on server probably won’t stress the server, as I’ve tested myself (1mil rays per frame).
I would like it to depend on client as well since doing rays server-only will most likely cause unresponsive behaviour. Thanks for the statistics, by the way.
You inevitably should check every single thing in the server so worry about security over performance until it’s very bad.
There is probably a very small delay between the server and client when communicating via remotes so test that out to see it it’s noticeable. This may be what you consider “lag” if it is noticed.
I don’t think having that very small delay would be an issue. However, it could cause such problems like moving hitboxes seeming like that they were hit on client, but this may not be the case on the server, which seems unfair.
As @Dev_HDWC said, lag compensation would be the best here.
Lag compensation would save all players previous positions (up to a certain extent) and when a player shoots you can just rewind time by the players ping and test a hit then.
Since your server knows the differential equation of the projectile, all the client needs to do is send over a signal that the hit occured. Since the server could then solve for time elapsed since the projectile was created, it would narrow down the ability to fake rays and exploit without needing to do complex ray checking.
