[MUD-Dev] TECH: Trusting Network Clients

Edward Glowacki glowack2 at msu.edu
Tue Aug 27 13:04:04 CEST 2002 

On Mon, 2002-08-26 at 23:36, Fox McCloud wrote:

> I lately started planning a graphical MUD and I hope it would work
> so far. But I came across the question to trust the client data or
> not. Of course it would be secure if the server just does
> *everything* but I think this would afford a tremendously server
> power. Well otherwise people could manipulate the data easily, so
> where's the border line, what data should you allow the client to
> process? Any reommendations?

Sending to the client:

  Assume that any data sent to the client will be seen and
  manipulated by the user for their own advantage, independent of
  whether or not your game client shows that information.  If you
  send the location of something not yet visible to the user
  (another player, a mobile, a treasure), then someone will decode
  it and know that location before they are supposed to.  Send them
  the whole map for the zone, then someone will decode it and have a
  complete map of the zone before they even open the
  gate/door/portcullis.

  One solution is to only pre-send data that doesn't matter.  Mobile
  graphics for the zone, tile sets (except perhaps special tiles
  like levers, sensors, traps), lists of available spells, etc.  Any
  critical data like player locations should only be sent at the
  time the information would become available to the character.

Receiving from the client:

  Don't trust anything.  Validate the input, check it against the
  server-side version, verify the location of everything ("Hey,
  how'd he make the fireball attack me from the opposite corner of
  the room?...."), sanitize it, disinfect it, use
  industrial-strength cleaning chemicals, ask for 3 non-related
  references, void where prohibited, offer may vary in Alaska,
  Hawaii, and Puerto Rico.

-ED

--
Edward Glowacki			glowack2 at msu.edu
Michigan State University	
"...a partial solution to the right problem is better than a complete
solution to the wrong one." (http://uiweb.com/issues/issue14.htm)


_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list