Security using serverside extension

Post here your questions about Actionscript and Java server side extensions development.

Moderators: Lapo, Bax

PinkHairedBoi
Posts: 3
Joined: 27 Jul 2018, 10:04

Security using serverside extension

Postby PinkHairedBoi » 27 Jul 2018, 10:28

Hello community!
Now i'm among us.

It took a lot of time to understand how smartfox working, also i'm a bit upset, because serverside documentation ain't providing any examples. (i don't mean on site, like unity in documentation)

So i decided to do a small easy-stupid game, typical MMO with player who can only move and rotate, also the "game screen" is same size that just one player screen.

And problems i've met:

1. I'm a bit old-type developer, so i don't like to implement some features. For example i do not like to implement MMORooms if i can create it by myself. Also i didn't find any documentation what does it change. In examples part (as ObjectMovement e.t.c.) there's NEVER SERVER SIDE CODE, only client-based. I understand that maybe it because it uses basic server features that doesn't require any server side code, but in those cases you can just send any (x, y, z) values you want, what is insanely big for cheater. Hello speedhack.

So i must simulate all processes on server. Create players array with payer classes and client only makes some messages like "start moving up" and all calculations are done on serverside either, server only returns with messages to all players new calculated position. But in this case...

2. If i'm making movement using Unity Physics system... How do i calculate it? How do i implement it to Java? Looks like i can't use it. Currently i stopped at just using strict transform.localPosition changing on certain amount - this is what easy to calculate on server.

Maybe MMORoom provides some basic protection from cheating? So there must be something like "speed" global parameter. But what's with teleports?...

W/e. So if i decide to make cheat-safe game I just want to make all by myself. Should i just create usual game room and then using extension make all game being server-side, while client only draws graphics and makes communication between client and player? That's kinda obvious but the real question is - am i right and all smartfox basic features aren't cheat-safe?

3. If so, b.t.w, what should i use as a timer for whole game - Thread or taskScheduler? (like how ofter should i calculate new player positions, for example 60 times per second).

Maybe i asked generic or repeatable questions, but sorry if so - i didn't found any documentation forum themes or solutions.

4. Small q: max 20 users in room for free version - but in dmin panel i can change it for example 30. Is it a trust-based features that I must stick to, otherwise I can be judged?

Also i wanted to thank Lapo for such detailed and useful answers, which i was reading throught development cycle on forum ^^.
User avatar
Lapo
Site Admin
Posts: 20436
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Security using serverside extension

Postby Lapo » 27 Jul 2018, 17:16

Hi,
your post is quite confusing, as you are talking about features such as MMORooms (provided in SmartFoxServer 2X) but you've posted under the old SmartFoxServer 1.x forum and you're referring to SmartFoxServer Basic, which is a very primitive solution compared to SmartFoxServer 2X.

I will try to reply to your points anyways, but I need to clarify that SmartFoxServer 2X is our current, most up to date, and powerful multiplayer SDK, and I would strongly recommend to refer to it.
https://www.smartfoxserver.com/download ... =installer

PinkHairedBoi wrote:Hello community!
Now i'm among us.

It took a lot of time to understand how smartfox working, also i'm a bit upset, because serverside documentation ain't providing any examples. (i don't mean on site, like unity in documentation)

Of course there are examples.
There's a whole section od the docs dedicated to how to code server side Extensions with commented code examples and we provide example packs for all platform which include games with server code.
There are also platform specific tutorials that include full games with advanced theory explained step-by-step.
http://docs2x.smartfoxserver.com/
https://www.smartfoxserver.com/download ... p=examples

1. I'm a bit old-type developer, so i don't like to implement some features. For example i do not like to implement MMORooms if i can create it by myself.

This is unclear.
You don't like to recreate stuff you can create by yourself?
Maybe it's a typo, but if I understand that you would like to re-implement the whole MMORoom?
I wonder why you would ever want to do that: it's a lot of work and our API already take the whole burden off of you.
http://docs2x.smartfoxserver.com/Advanc ... /mmo-rooms

Also i didn't find any documentation what does it change.

What are you referring to. What changes?

In examples part (as ObjectMovement e.t.c.) there's NEVER SERVER SIDE CODE, only client-based. I understand that maybe it because it uses basic server features that doesn't require any server side code, but in those cases you can just send any (x, y, z) values you want, what is insanely big for cheater. Hello speedhack.

It is explained the documentation. Same article I posted above.


Code: Select all

2. If i'm making movement using Unity Physics system... How do i calculate it? How do i implement it to Java? Looks like i can't use it. Currently i stopped at just using strict transform.localPosition changing on certain amount - this is what easy to calculate on server.

Physics is part of the Unity engine, so it's quite tricky to simulate on the server side when it's actually integrated in the client side engine.
There's two possibilities:
1) Just run a Unity client hosted server
2) Run a Unity server alongside SmartFox
The 2nd option is more sophisticated and we've written a bit about it here:
https://smartfoxserver.com/blog/best-of ... -games-p1/
(it's a two part article)

Maybe MMORoom provides some basic protection from cheating? So there must be something like "speed" global parameter. But what's with teleports?...

You can perform all the SetUserPosition calls from server side, therefore you should be able to verify all input and make sure no one is cheating.


W/e. So if i decide to make cheat-safe game I just want to make all by myself. Should i just create usual game room and then using extension make all game being server-side, while client only draws graphics and makes communication between client and player? That's kinda obvious but the real question is - am i right and all smartfox basic features aren't cheat-safe?

Yeah, SFS Basic is part of the SmartFoxServer 1.x family which is pretty old and not updated, we only maintain bug fixes.
SmartFoxServer 2X instead is the main product, offering an immense amount of extra features.
Comparison here:
https://www.smartfoxserver.com/products

3. If so, b.t.w, what should i use as a timer for whole game - Thread or taskScheduler? (like how ofter should i calculate new player positions, for example 60 times per second).

Always Scheduler. Threads are too expensive.

4. Small q: max 20 users in room for free version - but in dmin panel i can change it for example 30. Is it a trust-based features that I must stick to, otherwise I can be judged?

Please refer to SmartFoxServer 2X, which is free for 100 concurrent users and no time limits.

Cheers.
Lapo
--
gotoAndPlay()
...addicted to flash games
PinkHairedBoi
Posts: 3
Joined: 27 Jul 2018, 10:04

Re: Security using serverside extension

Postby PinkHairedBoi » 29 Jul 2018, 21:58

Oh Lapo, thank you again so much. I did a huge mistake, you're absolutely right - I'm using SFS2X. 2X. Wrong forum, sorry so hard. If you can - switch it.
The reason i missed was name of theme - Server Side Extension Develompent. Didn't find same theme in SFS2X, only questions.

You didn't understand me about examples, maybe I didn't write it right way.
I mean, that if we go -> http://docs2x.smartfoxserver.com/api-docs/csharp-doc/ -> here we see the example.
But here -> http://docs2x.smartfoxserver.com/api-do ... oc/server/ -> only straight documentation without any examples.
Of course i've seen a lot of examples on site, that's exactly why i inserted "(i don't mean on site, like unity in documentation)" mark.

About implementing MMORooms - i mean - MMORoom got a huge pack of extra parameters and i'm not quite sure i need each of them (like limbo point which is new and hard for me and probably totally unnecessary for me). That's why i like to do thing by myself - to prevent using unnecessary things which takes memory, CPU e.t.c.

"Also i didn't find any documentation what does it change."
Already found, also it wasn't that easy and clear. I read that it's all about Area Of Interest. It wasn't kinda obvious for me, sorry.

About server-side code - there's only MMO Demo and Space War with server-side code. I mean, lack of some things like custom autorization e.t.c.
For example MySQL DB user-checking, simple scheduler examples.

The article from blog is amazing. I'll finish reading it before continue...
Finally, finished. Of course, that's ideal. But still didn't find full example of integration Unity server into smartfox and sounds complicated, while google ain't gives anything good on "unity server" request. Sounds like i must write complete game (if i using linux) under linux as master-server. And somehow link it with smartfox. Also all this prices, clouds... I'm not that experienced, and as indie got no possibilities to buy a server even for 1$, that's the reason i'm using smartfox2x. So, looks like i must finish up with java server-side.

Is that good to make complete game as "extension"? Name scared me a bit.

"You can perform all the SetUserPosition calls from server side, therefore you should be able to verify all input and make sure no one is cheating."

Exactly what i did now. Right now my server got arraylist of players in room with readonly x and y, updates it in TaskScheduler each 50 msec, and can only take requests from player which changes bool values like moveUp, moveDown e.t.c. with some checkings.
Is it a fine way to do it?

Thank you for answers, Lapo, sorry if i'm annoying, but i really listed a lot of examples and tutorials with blogs(still didn't find artical about Unity+SFS2x). You helping me a lot, i rarely register on forums to ask something, but SmartFox is amazing and i wish i could understand all features and ways of creating good cheat-safe realtime games.

The main question is if it's good to make whole game as java-extension with unity-client only like "terminal input" and "user-interface".

With great respect, Mir.
User avatar
Lapo
Site Admin
Posts: 20436
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Security using serverside extension

Postby Lapo » 30 Jul 2018, 07:36

PinkHairedBoi wrote:Oh Lapo, thank you again so much. I did a huge mistake, you're absolutely right - I'm using SFS2X. 2X. Wrong forum, sorry so hard. If you can - switch it.

No problem, I will move the thread to the correct section.

About server-side code - there's only MMO Demo and Space War with server-side code. I mean, lack of some things like custom autorization e.t.c.
For example MySQL DB user-checking, simple scheduler examples.

Of course, the demos are focused on the MMO aspects, which already require quite a long discussion.
For databases and schedulers you can find everything you need in the Java Extension Development section of the docs:
http://docs2x.smartfoxserver.com/ExtensionsJava/recipes

Is that good to make complete game as "extension"? Name scared me a bit.

I am not sure what you mean by this.
A multiplayer game is always comprised by two parts: the client with the UI, rendering, input control etc... and a server side part with the authoritative game logic.

"You can perform all the SetUserPosition calls from server side, therefore you should be able to verify all input and make sure no one is cheating."

Exactly what i did now. Right now my server got arraylist of players in room with readonly x and y, updates it in TaskScheduler each 50 msec, and can only take requests from player which changes bool values like moveUp, moveDown e.t.c. with some checkings.
Is it a fine way to do it?

Yes it is

The main question is if it's good to make whole game as java-extension with unity-client only like "terminal input" and "user-interface".

It depends on the type of game but generally speaking, yes it is. Most games are done like that.
Sometimes there is also a bit of client side logic for compensating the lag between client and server but essentially the main game logic is always on the server side, to avoid cheating.

If you read the "SpaceWar" tutorial you will learn more about the lag compensation aspect I am talking about. It's a generic concept that can applies to many different types of real time games.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 20436
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Security using serverside extension

Postby Lapo » 30 Jul 2018, 09:04

One more comment...
About implementing MMORooms - i mean - MMORoom got a huge pack of extra parameters and i'm not quite sure i need each of them (like limbo point which is new and hard for me and probably totally unnecessary for me). That's why i like to do thing by myself - to prevent using unnecessary things which takes memory, CPU e.t.c.

You're making a very wild assumption that the extra parameters are taking significative resources, where in actuality they really don't.
MMORooms are highly optimized and we spent over a year to stress test and fine tune the relative API.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
PinkHairedBoi
Posts: 3
Joined: 27 Jul 2018, 10:04

Re: Security using serverside extension

Postby PinkHairedBoi » 30 Jul 2018, 17:45

Lapo, you're the best. Thank you for such a detailed answers. That's all i wanted to know.
SmartFoxServer2X is great, as it's community.
Cheers!

Return to “Server Side Extension Development”

Who is online

Users browsing this forum: No registered users and 18 guests