Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.

How to make secure authentication by netcode?

Discussion in 'Multiplayer' started by xyztehlike, Sep 27, 2022.

  1. xyztehlike

    xyztehlike

    Joined:
    Oct 5, 2020
    Posts:
    3
    I was reading netcode documantation of Connection Approval. And I was kinda happy cuse the question in my mind was answered about authentication while reading ConnectionApprovalRequest.Payload, because i thought i can send a token to the server to confirm user's session. But at the end i saw this warning. :) If we won't send token or password, what is payload, or how we would controll if the user is valid? I am web developer, so should i have a certification just like ssl for websites?
     

    Attached Files:

  2. vis2k

    vis2k

    Joined:
    Sep 4, 2015
    Posts:
    4,275
    In the past, the web was pure HTTP.
    If you log into your Paypal account while on Wifi, the login packet would be transmitted through the air to your router.
    If someone is near your router, he might be able to capture the transmitted packet to get your password.

    That's why the web mostly moved to HTTPS (= SSL).
    It is end to end encrypted, meaning that only you and the server can make sense of the packets which are transmitted through the air.

    Online games usually don't transmit any sensitive data.
    It doesn't matter if someone can snoop on your network to see which potion you used in an MMO.
    Encryption requires extra work and extra CPU cycles, which is why it's not a high priority for many netlibs.
    It's not impossible though.

    Often login is the only sensitive data in your game, so only that part might be encrypted (steam login, google, oauth, etc.)
     
    xyztehlike likes this.
  3. xyztehlike

    xyztehlike

    Joined:
    Oct 5, 2020
    Posts:
    3
    Okay thank you so much for answer. As i said i am back-end developer so i can make microservices for logining. My question is after the user login; i mean during the game, how the user makes me know if this is "the" user. Should i store user's ip?
     
  4. vis2k

    vis2k

    Joined:
    Sep 4, 2015
    Posts:
    4,275
    The low level transport would give you some kind of 'connection' object for every accepted client on the server.
    For example, in TCP this would be a socket.
    For UDP this might be an EndPoint etc.
     
    xyztehlike likes this.
  5. xyztehlike

    xyztehlike

    Joined:
    Oct 5, 2020
    Posts:
    3
    Okay i understood, but you are saying "every accepted client", if i don't send any sensitive data like password or hashed token from client-side, according to what am i going to accept the user in the server, or even reject if the user is not accepted? Again thank you so much for your relevance.
     
  6. Punfish

    Punfish

    Joined:
    Dec 7, 2014
    Posts:
    280
    There's a variety of ways to do this but the simplest, which sounds like it may even be for you being a backend dev, is a token.

    User logs into account via auth server and is given a token response. Auth server holds token along with IP for x seconds.
    Client connects to game server and sends token. Game server sends token and IP to auth server. Auth server checks if token exist and IP matches then tells game server, perhaps passing in a client ID.

    From there the game server can access any database with clientId and pull inventory, ect. And also approve client login.

    Most networking stacks have a way to suspend the client until they've authenticated. Eg in FishNet we call it an authenticator. This would be the part where the game server validates with the auth server. If you need a better example let me know.