Open Red Alert League Europe

The Europe OpenRA League Discussion

Announcements and discussion about community-run events.
User avatar
netnazgul
Posts: 507
Joined: Mon Jul 10, 2017 7:32 am
Location: Minsk
Contact:

Post by netnazgul »

bimbam2103 wrote: 2nd Way: All is managed through the client (like most games). Within the client the player can create or search for matches. If the match ends same way as 1st way.

For my feeling: The 2nd way sound better because the player only needs our website for looking at his ranking/managing his account.
Well, it's a lot of coding to be done to implement correct player authentication and result reporting. And if it's done by the devteam then openra doesn't really need any ranking system from outside because it's then quite easy to implement it ingame :P

upd: I suggest searching github on discussions about ranking and auth. Good starting points are
https://github.com/OpenRA/OpenRA/issues ... entication
https://github.com/OpenRA/OpenRA/issues ... &q=ranking

User avatar
anjew
Posts: 552
Joined: Sat Nov 08, 2014 4:16 am

Post by anjew »

Not keen on paying for something that could possibly be exploited.
If authentication is kept in-game then I'm definitely out (else there is an actual region lock). Basing authentication on IP is also not sufficient.
Image

User avatar
spetsnaz84
Posts: 20
Joined: Thu Aug 24, 2017 6:50 pm

Post by spetsnaz84 »

Maybe it's easier to keep the ranking server based:
Let a script process the replays on the official servers. This at least prevent fraud with fraudulent replay files.

The only big problem then is identity. Hope can we prevent impersonation ?
While IP-based authentication is indeed not flawless, it can serve as some inspiration.

Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped.

I am not saying this is totally secure but it does allow a ranking system without modifying the client.

User avatar
anjew
Posts: 552
Joined: Sat Nov 08, 2014 4:16 am

Post by anjew »

spetsnaz84 wrote: Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped..
Even storing IP's for 2 hours won't be sufficient. All it takes for some peoples IP to change is a restart of the modem. And this kind of approach would make smurfing much easier.
You wouldn't even need to store the IP if you have a login system. Players can verify via the website. Both sides upload a replay and if it doesn't match the copy the server has its unverified. Or you can just use the login system for verifcation

My other suggestion for verification is implementing something via Discord. It allows bots so all you need is someone to write up a bot that stores statistics, ELO and can start games
Image

User avatar
spetsnaz84
Posts: 20
Joined: Thu Aug 24, 2017 6:50 pm

Post by spetsnaz84 »

anjew wrote:
spetsnaz84 wrote: Imagine you log in on some openra competition website as 'spetsnaz84' and it stores the IP address (say 1.2.3.4) for a short amount of time (say 2 hours) in a database. If then I start to play a game (and I just found out the replay files store IP addresses of the players), the script can then correlate and verify if the IP address from the replay file corresponds with the 1.2.3.4 we stored in the database.
If it does not, the replay remains unverified and we sent an email to the player so he can still 'check' in on the website to have his IP address verified. If he does not comply within 2 hours, the game is dropped..
Even storing IP's for 2 hours won't be sufficient. All it takes for some peoples IP to change is a restart of the modem. And this kind of approach would make smurfing much easier.
You wouldn't even need to store the IP if you have a login system. Players can verify via the website. Both sides upload a replay and if it doesn't match the copy the server has its unverified. Or you can just use the login system for verifcation

My other suggestion for verification is implementing something via Discord. It allows bots so all you need is someone to write up a bot that stores statistics, ELO and can start games
I agree with your suggestions..

Post Reply