If someone were to implement worldserver data to create a game with persistant player stats, in a quasi-RPG, what sort of security would exist?

I mean if you were doling out experience points, how could it be made sure that a player isn't spoofing the central server, sending madeup experience numbers?
Things like getting points while playing on an empty server could be dealt with by game code. But just fake messages being sent to the server would have to have security inherent in the WorldServer system..

Server authentication would probably be the easiest, but also rather facist, and difficult to implement if you get more than a few servers running the game...

Anti-cheating is a big subject and there is a lot of thread about it in the forum. For the worldserver specific part, the 1st advantage is that nobody is anonym (login/pass), it will be very dissuasive for cheater, and easy for apply sanction if necessary.
I don't understand your usage of the term "facist" in this context. Of course I will use Server authentication and client authentication too. The code is under GPL, you can use it like you want, you can recompile it and create your own version (client/server/worldserver). You can create your own PHP/MySQL WorldServer if you want, based on my GPLed script.
But my WorldServer (rpc.aftermoon.net) will only accept connection from "official" version (currently recompiled engine/client are traced, not blocked).

I meant forcing any dedicated server running the mod to register with the central server, and only accepting updates from those servers. It would be effective, but restrictive.



How do you determine what engine/client is being used?

In a MORPG context it's not restrictive, it's normal. How can you imagine different versions for server that run in the same persistant world ?


The code contain some random data that were defined at compile time. These data affect the communication with the WorldServer. After each release, an admin user (account Pat currrently) connect to the WorldServer. The WorldServer store his "signature", and use it for comparison for each other users. In the future this signature will be dynamically computed and will use a param from the worldserver. The signature will change each time the admin connect to the WorldServer.

Well, the game I've been tooling around with the design for would have persistant player information, but not a persistant world. It would operate like current online shooters, only your avatar would improve in skill, and could obtain new equipment as it advanced. Maps would just be mission based objectives for which the player was rewarded, but not a persistant world to move around in.
So if the servers were required to authorize themselves, it would limit the places to play.

As for your security system, it's impressive. I can think of a few ways that with that and some simple secuirty (semi-intelligent point rewarding mainly.. knowing when the server is empty or local, etc) designed into the game dll that the whole system could be made fairly secure (for my game idea at least)

Thank you, but currently it isn't so impressive. The last month during a test I have authorized cheating on the WorldServer for a short time. But after the test I forgot to relock the cheat variable.
Some players have exploit my mistake for being invincible, get full inventory or walk throught wall. After the correction of my error, I have worked for an answer to these players. It's just online now :

Of course inventory of these player has been removed

More info : COOP or DIE