How to make secure authentication by netcode?

I was reading netcode documantation of Connection Approval. And I was kinda happy cuse the question in my mind was answered about authentication while reading ConnectionApprovalRequest.Payload, because i thought i can send a token to the server to confirm user's session. But at the end i saw this warning. If we won't send token or password, what is payload, or how we would controll if the user is valid? I am web developer, so should i have a certification just like ssl for websites?

 

In the past, the web was pure HTTP.
If you log into your Paypal account while on Wifi, the login packet would be transmitted through the air to your router.
If someone is near your router, he might be able to capture the transmitted packet to get your password.

That's why the web mostly moved to HTTPS (= SSL).
It is end to end encrypted, meaning that only you and the server can make sense of the packets which are transmitted through the air.

Online games usually don't transmit any sensitive data.
It doesn't matter if someone can snoop on your network to see which potion you used in an MMO.
Encryption requires extra work and extra CPU cycles, which is why it's not a high priority for many netlibs.
It's not impossible though.

Often login is the only sensitive data in your game, so only that part might be encrypted (steam login, google, oauth, etc.)

 

Okay thank you so much for answer. As i said i am back-end developer so i can make microservices for logining. My question is after the user login; i mean during the game, how the user makes me know if this is "the" user. Should i store user's ip?

 

The low level transport would give you some kind of 'connection' object for every accepted client on the server.
For example, in TCP this would be a socket.
For UDP this might be an EndPoint etc.

 

Okay i understood, but you are saying "every accepted client", if i don't send any sensitive data like password or hashed token from client-side, according to what am i going to accept the user in the server, or even reject if the user is not accepted? Again thank you so much for your relevance.

 

There's a variety of ways to do this but the simplest, which sounds like it may even be for you being a backend dev, is a token.

User logs into account via auth server and is given a token response. Auth server holds token along with IP for x seconds.
Client connects to game server and sends token. Game server sends token and IP to auth server. Auth server checks if token exist and IP matches then tells game server, perhaps passing in a client ID.

From there the game server can access any database with clientId and pull inventory, ect. And also approve client login.

Most networking stacks have a way to suspend the client until they've authenticated. Eg in FishNet we call it an authenticator. This would be the part where the game server validates with the auth server. If you need a better example let me know.