Download

[WiP] Multiplayer Login System with MySQL Database (thoughts?)

Hey guys and girls (:,

so since i am making a game that needs to recognize the players everytime they join on servers hosted by players themself, i needed a way to give them a unique ID.
The server would check the ID that the player gives him and returns his inventory or creates a new savegame for him if the ID couldnt be found.

So using a MySQL Database with a table for accounts was the first thing i thought about.

I searched the forum, the hub and several over non UE4 related sites but i couldn’t find a tutorial for this.
What i found were bunch of people saying that you shouldn’t use the MySQL queries directly in the game.

So i needed a way to communicate with the Database over a php Script. I found the HttpRequests and managed to implement the libraries
in the UE4. Now i was able to send POST data (json) to my php script. Making the Request function blueprintcallable gave me the opportunity to
use the new UMG to make a login screen, which uses the Editable Textboxes for Username and password.

Now i let the loginscreen widget check an int Value named “AccountID” on my character with the tick.
Each time i perform a request by clicking on login, the php script sends back an echo with false (0) or the id of the user from the database.

If the echo is unequal to 0, we login and save the ID to our character.
With this ID, i can now track the player and its inventory, because it is the primary key inside the MySQL database.

What i want to ask now is:

Is this a valid way to perform this, or are there security issues or something else?
Is there a better idea on how to do this that i haven’t found by now?

AND do you guys want me to make a small tutorial on how to do this?

Because i can’t find any tutorial on how to make a login system connected to a database with UE4 by now
and i can’t imagine that no one of you needs a login connected with a database (all of you mmo makers for example).

I would be happy if we could discuss this a bit (:

Absolutely!

I think there are probably quite a few people looking for tutorials on this sort of thing.

That would be awesome, especially as documentation / tutorials for that sort of thing are so scarce :slight_smile:

Yes I would like to see one, I know how to do the server-side and client side part of the programming but I don’t know how to make it to show the user how to input his data so it can be sent to the server. I would gladly look at such tutorial!

(: Alright.
You will be amazed on how easy this actually is.
But i would still be happy if someone could point out some negativ sides on doing the “logged in” check.
Furthermore, i’m planing to also make a sessions script, so that your user can’t login with an account twice at one time
and will be auto logged out after around 3 minutes of inactivity.

EDIT: I just wanted to point out, that i’m not 100% done with saving part. But that is just something about time i need (need to learn for university >.<)

Depending on how you are doing this, there is a security problem with it. If all I need is that ID in order to claim to be that person, then I can easily spoof other accounts and tamper with them.

I could also save the Username and the crypted password, but thats not something i want to save on the computer of the Host.
Is there something more i could save to identify the player? (:

You need to do the authentication on server-side by user token. Each time a user logins you should provide a login Token which will be sent back to your game and then from the game to the server on every request.

So something like a hashed value made from his name? How could a cheater even change the value of his ID Variable? If you only get the ID by Login with the right Username and password, he would need the login of this user or?
The Token and the id are both saved serverside in a savegame of the current world to identify a player that reconnects. Minecraft is doing the same with the usersave but i guess Notch is only using the username or? If you delete the Username out of a certain file of your current world, the user will start fresh.
To abuse this, you would need to change variable inside the game. How would a cheater even manage to change them? o.o Isn’t the UE4 save from outside?
The only thing he could do is changing the id inside the savegame to his own, but since the game is designed to be played with something like 4 friends, i don’t think someone will do this.

If you want to save the inventory, and so on, away from users on your own servers, you can save everything in the mysql database that only you can access (like WoW or other mmos).

Well, here is an example http://www.cheatengine.org/aboutce.php.

If you make it only id, the hacker can just try a lot if ID’s and he will finnaly get one of the player. If you want to be save, the token (hash id) has to be renewed everytime the user connects, and if someone connects from another ip address, you have to abort the session.

Also, the token should be long, so a brute attack (jsut trying out all id’s possible) doesn’t work well. It could be 256 bit for example (very secure). That’s the size of 8 32bit ints. You have to find the balance between security and lightweigh because the security shouldn’t take so much bandwith because it’ll be send with each packet.

Hm ok, but i need some help from you to understand this completely.

How do i use a renewed HashID for that? If i connect to a server, i need the HashID to assign the inventory to the player. After that was done, it’s the only time i could create the HashID and save it for the next reconnect.
But if i recreate it everytime the user connects to one of a hundred servers, i would need to save the HashIDs somewhere and also save a Server ID, so that a player can send the right HashID to the right server.

For this i would need to track the server and also create unique IDs for them. Thats something i definitely don’t want to do.

I can’t imagine another time, when i could renew the HashIDs, because if i change a HashID before i connect to a server, it won’t match (logical or? >.<).

What about not using a normal ID but a very long Hashed one (that stays the same all time)? It wouldnt be that easy to find out, although i still think no one would do this with a friend.

So:

  1. Everytime a player connects he give the user name and password
  2. The server creates a hashID and stores the ip adress.
  3. The player always gives the hashID when requesting something and the server checks if it’s the right ip number too.
  4. The player disconnects and the hashID gets destroyed.

Ok,

so to make sure we have the same server structure in mind:

Here is a quick picture of what i have in mind:

If you start the game, you must login. As long as you are logged in, your sessions gets updated. If you logout or your inet dies or something like that, your session gets deleted.
As long as you are logged in, no one else can login with your account.

If you now connect to a listen server of another player, you send him your userID and the server gives you your saved inventory from last time.

http://puu.sh/b7HR7/2266a46223.png

So where do you want to put the HashID here? Should the player also send the username and the password to the Listen Server so that the server creates an extra ID for the session? Isn’t that a bit doubledoing it?
He should already have the user ID so that he can give the player its inventory ):

Sorry if i’m a slowpoke on the logical side of this!

Actually, you have to make it somehow that:

  1. Inventory is saved at a glboal server, which belongs to you.
  2. The listen servers of players, have to connect to the main server, to figure out the inventory. But the actuall player should also give the mai nserver the information that he can send it to the listen server and trust it. Remember, that you can’t just trust players’ listen servers.

Buh, ok i would need to let servers register themself with the Mainserver. He would create an ID for a server, to match the server with all its inventories.
That’s something for the MMO guys here i guess. Sadly i don’t have time working out a system this big.

But to be honest, thats not what i wanted to do with my own game. I guess this is important for developers running a MMO where players aren’t alowed to have their Inventory saved to their local pc,
but my game is just something small like Minecraft. In Minecraft, Notch isnt saving Inventories at globalserver. He just saves them with the world in the folder of the server.
That’s how i wanted to do this too. Create a local server or a dedicated one. The server saves it’s map/s and players. That’s all.
I won’t bother myself with players abusing this. I mean, they already paid for the game. If they want to delete or modify their savegame, it’s up to them.

So i guess i will teach the basics of communicating with a Database over HttpRequests and user can work out a system they need for their games. (:

Thanks for your help so far!

Ah ok, I thought you want security like in mmo’s. If you want it this way, you can just save it as a database file on the liiten server.

Yes BUT, still, thanks to you, other players can read how to structure there servers for a mmo’s.
If you don’t mind, i would like to quote you on your thoughts for people who want to go further with the basic communication between their UE4 Games and the Databases (:

As you want. I’m happy that I could help :slight_smile:

1 - First what’s your server language going to be PHP, Python… ?
2 - Are you going to use a cloud hosting provider?

I’d suggest you use a library or framework for your Authentication service (Laravel for PHP, Flask for Python).

On successful user login (username , password) the Token ID for this login is generated and you can save it temporary to your game and use it on each request to the server.

The server will validate all requests by the Token ID, if for some reason the user is not authenticated you clear the token stored temporary in your game and force the user to Login.

  1. PHP. I will have a look at Laravel for easier Database querys.
  2. Na, a Webserver with a Database is enough for this.

The rest of your post was already mentioned (: I will add it to the quote on further thoughts on how to extend the basic system for others.

Thank you!