Download

Client is authorative when setting position

Hello! I fumbled onto something a bit worrying when I tried out the engine’s responses to various client-side alternations during gameplay. If I force the .exe to run at twice the tickrate (or more) on the client, he can move twice as fast (or more) on the server. It’s very easy to reproduce using Cheat Engine. Just build out the shooter game example and connect with a client to a server, then use Cheat Engine’s “Enable SpeedHack” to alter your clients .exe.

Is this intended? If I go through the source code I find this snippet in CharacterMovementComponent.cpp



if (GetDefault<AGameNetworkManager>()->ClientAuthorativePosition)
{
	if (!LocDiff.IsZero() || ClientMovementMode != CurrentPackedMovementMode)
	{
		// Just set the position. On subsequent moves we will resolve initially overlapping conditions.
		UpdatedComponent->SetWorldLocation(ClientLoc, false);

		// Trust the client's movement mode.
		ApplyNetworkMovementMode(ClientMovementMode);

		// Update base and floor at new location.
		SetBase(ClientMovementBase, ClientBaseBoneName);
		UpdateFloorFromAdjustment();

		// Even if base has not changed, we need to recompute the relative offsets (since we've moved).
		SaveBaseLocation();
	}
}

// acknowledge receipt of this successful servermove()
ServerData->PendingAdjustment.TimeStamp = TimeStamp;
ServerData->PendingAdjustment.bAckGoodMove = true;


which means if the previous packet’s position is close enough to this packet’s position, then use the clients position on the server (aka trust the client)

Now if I disable the ClientAuthoritvePosition bool this problem still prevails. It still uses the clients position on the server, and even the animations are sped up.

anyone??? :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused:

Client can be ‘authoritative’ but it is partial ie it can send the movement to the server, but the server should ultimately decide if the client movement is ‘suspicious’. I am not familiar with the code above, but in my code which involves vehicle, the server can decide to approve the client movement - so this is where the cheat can be avoided.

On a real world environment you can’t expect everything to run on the server.
On ideal world you can 100% prevent malicious clients, but doing so isn’t cost effective; servers actually have very limited resources to be authority on everything.