bimbam2103 wrote: ↑
2nd Way: All is managed through the client (like most games). Within the client the player can create or search for matches. If the match ends same way as 1st way.
For my feeling: The 2nd way sound better because the player only needs our website for looking at his ranking/managing his account.
Well, it's a lot of coding to be done to implement correct player authentication and result reporting. And if it's done by the devteam then openra doesn't really need any ranking system from outside because it's then quite easy to implement it ingame
Not keen on paying for something that could possibly be exploited.
If authentication is kept in-game then I'm definitely out (else there is an actual region lock). Basing authentication on IP is also not sufficient.
Maybe it's easier to keep the ranking server based:
Let a script process the replays on the official servers. This at least prevent fraud with fraudulent replay files.
The only big problem then is identity. Hope can we prevent impersonation ?
While IP-based authentication is indeed not flawless, it can serve as some inspiration.
Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped.
I am not saying this is totally secure but it does allow a ranking system without modifying the client.
spetsnaz84 wrote: ↑
Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped..
Even storing IP's for 2 hours won't be sufficient. All it takes for some peoples IP to change is a restart of the modem. And this kind of approach would make smurfing much easier.
You wouldn't even need to store the IP if you have a login system. Players can verify via the website. Both sides upload a replay and if it doesn't match the copy the server has its unverified. Or you can just use the login system for verifcation
My other suggestion for verification is implementing something via Discord. It allows bots so all you need is someone to write up a bot that stores statistics, ELO and can start games
spetsnaz84 wrote: ↑
Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped..
Even storing IP's for 2 hours won't be sufficient. All it takes for some peoples IP to change is a restart of the modem. And this kind of approach would make smurfing much easier.
You wouldn't even need to store the IP if you have a login system. Players can verify via the website. Both sides upload a replay and if it doesn't match the copy the server has its unverified. Or you can just use the login system for verifcation
My other suggestion for verification is implementing something via Discord. It allows bots so all you need is someone to write up a bot that stores statistics, ELO and can start games