Security of customProperties
I'm using PUN+ and was wondering about the security of using customProperties. I see that using them is suggested in a lot of places, but if a player can change the properties of all other players wouldn't that be compromise the security of the information stored?
Basically any client can set any type of information I store there for any other client and it will update on all ends.
Would be great If anyone can clarify this.
Thanks ahead,
Michael Papkov.
Comments
-
Hi @StarKist,
Thank you for choosing Photon!
You are raising a good point and your concerns are legit.
First of all, you should enforce "security" in your app using:
- Custom Authentication (allow only trusted clients)
- Obfuscation (minimize risks by "hiding" custom properties string keys)
I can suggest a workaround (did not test it but should work):
The idea is to have one or more custom player properties that should be used to prevent updating properties of other players.
- Initialize one or more custom player propties without broadcasting them (look forBroadcast
parameter). This way only the player knows these properties.
- Use CAS: everytime you want to update player properties, use the above properties asexpectedProperties
.
0 -
Hi @JohnTube , love the sound of this solution but I can't find anything in the docs about a "broadcast" parameter for SetCustomProperties... can you elaborate?JohnTube said:
I can suggest a workaround (did not test it but should work):
The idea is to have one or more custom player properties that should be used to prevent updating properties of other players.
- Initialize one or more custom player propties without broadcasting them (look forBroadcast
parameter). This way only the player knows these properties.
- Use CAS: everytime you want to update player properties, use the above properties asexpectedProperties
.
0 -
Hi @legend411,
You should look for references toParameterCode.Broadcast
.
You should look for lines in "LoadBalancingPeer.cs" or "NetworkingPeer.cs":opParameters.Add(ParameterCode.Broadcast, true);
The solution has one flaw though:
If player Y joins after player X, player Y will receive all of player X's properties in the JoinRoom operation response.
So you should set each secret player's properties only after all players have joined or renew the secret property after each new player join/rejoin.0 -
JohnTube said:
Hi @legend411,
You should look for references toParameterCode.Broadcast
.
You should look for lines in "LoadBalancingPeer.cs" or "NetworkingPeer.cs":opParameters.Add(ParameterCode.Broadcast, true);
The solution has one flaw though:
If player Y joins after player X, player Y will receive all of player X's properties in the JoinRoom operation response.
So you should set each secret player's properties only after all players have joined or renew the secret property after each new player join/rejoin.
I see...JohnTube said:Hi @legend411,
You should look for references toParameterCode.Broadcast
.
You should look for lines in "LoadBalancingPeer.cs" or "NetworkingPeer.cs":opParameters.Add(ParameterCode.Broadcast, true);
The solution has one flaw though:
If player Y joins after player X, player Y will receive all of player X's properties in the JoinRoom operation response.
So you should set each secret player's properties only after all players have joined or renew the secret property after each new player join/rejoin.
I'm looking at LoadbalancingPeer but I don't really understand how I would use that parameter in my own call to SetCustomProperties(), this looks like I'd be mucking with some PUN core stuff?
0 -
this looks like I'd be mucking with some PUN core stuff?Yes this is required unfortunately as the Broadcast parameter is not exposed at a high level since this use case is not common and we want to avoid complexity.0