Forum Sitebox Facebook Games - Multiplayer

Discussion and help relating to the PlayerIO webpage and Facebook app hosting solution, Sitebox.

Facebook Games - Multiplayer

Postby batiali » November 24th, 2010, 12:10 pm

Hey there,

I was just curious about one thing.
Do we need to use multiplayer services of player.io to make a facebook game such as backyard monsters / farmville / treasure isle / games like these?
I know that you need to do it if you want a secure solution, but I wonder if there is any other solution that is half-secure and working.

First thing that I can think of is to store local time on bigdb / recall it when player joins the game again / calculate the current time - last time / write a logic that processes the time spent away / show & save the results.
The problems are:
- What happens if the player changes his local time.
- What happens if the player looks at his friends zone, (his friends changes wont be seen until he joins again)
There were other problems that I can't remember right now :)
Maybe 2nd problem should be fixed by an "last update time" and whenever player goes to his friends zone and calculation will be made for that player too. (Even he does not join the game for some time.)
Then, there would be complications since these playerobjects will be changed from lots of places.

I'm really confused about how the process should be and seedlings example is not helping me that much :(
batiali
 
Posts: 29
Joined: August 11th, 2010, 2:53 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 3:16 pm

The games you mentioned have no need for services like PlayerIO. Farmville for example is only a flash client, that connects to a PHP backend through AMFPHP. PlayerIO is the best choice when you want realtime interaction between players (for example, moving a character in realtime and allow the other players to see it), but for those games you mentioned i can't see a real benefit, unless you would want something like realtime chat.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby TobiasW » November 24th, 2010, 3:35 pm

Well, you could use the multiplayer service to double-check players actions like AMFPHP would do. You don't want to send anything to other players in your current room, but this isn't the only benefit of the rooms - they are there for scaling, too. Seems perfectly valid for me to use them for that and never use "Broadcast".

Why would you want to go without? There is no thing as "half-secure" - either it is secure or it isn't.
User avatar
TobiasW
 
Posts: 59
Joined: August 29th, 2010, 12:31 am

Re: Facebook Games - Multiplayer

Postby batiali » November 24th, 2010, 4:02 pm

Thanks for the replies.

@fox1980
Ok. Those games doesn't need PlayerIO's multi service, but those games can be made with PlayerIO using BigDB right? What else does PlayerIO need?

Let me give you an example.
In Seedlings example, you need to recover your energy after its depleted. To recover your energy, you need to wait a minute.
If you close the game and change your local time to 1 minute later, you'll see that your energy is recovered.
In a proper game, this is ofc not wanted.
What would you guys do to overcome this problem?
Use multiplayer service and get server time maybe?
batiali
 
Posts: 29
Joined: August 11th, 2010, 2:53 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 4:10 pm

Yes, one could use PlayerIO instead of AMFPHP, and PlayerIO would probably be a lot faster. I just think PlayerIO is overkill, and will be far more expensive for that kind of projects. Until he had hundreds of concurrent users he could get by with just a shared hosting web server, SQL flexibility, unlimited DB queries.
Don't get me wrong i love the PlayerIO services, and they're crucial to me. But if you don't need other players to be updated the same second something changes on the server, you're probably better off with another solution, unless ofcourse you would need other PlayerIO features like payvault.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 4:14 pm

batiali wrote:Thanks for the replies.

@fox1980
Ok. Those games doesn't need PlayerIO's multi service, but those games can be made with PlayerIO using BigDB right? What else does PlayerIO need?

Let me give you an example.
In Seedlings example, you need to recover your energy after its depleted. To recover your energy, you need to wait a minute.
If you close the game and change your local time to 1 minute later, you'll see that your energy is recovered.
In a proper game, this is ofc not wanted.
What would you guys do to overcome this problem?
Use multiplayer service and get server time maybe?


Yes those games can easily be made with PlayerIO.
The trick for what you mentioned is not to use the client time. Let's say you start with 100 energy and spend 50. You would update BIGDB with energy=50, lastupdate=current server time. When you come back 10 minutes later you would query BigDB, calculate how much time has passed since lastupdate, increase energy accordingly, and set lastupdate=current server time again.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby TobiasW » November 24th, 2010, 4:17 pm

fox1980 wrote:I just think PlayerIO is overkill, and will be far more expensive for that kind of projects. Until he had hundreds of concurrent users he could get by with just a shared hosting web server, SQL flexibility, unlimited DB queries.

You might be right. Sadly I don't have any kind of experience there.

batiali wrote:Use multiplayer service and get server time maybe?

Firstly, this.

Secondly, you do something with your energy, like planting seeds, and you don't want the client to be writing into the database directly, since I'm quite sure this could be hacked. (The easiest way would be to trick the client into thinking he has enough energy by writing directly into the memory, I guess, though I don't have much experience with that.)

You'll want to send to the server that the client WANTS to plant a seed, and then the server decides if the client might do this. You can check this on the client too to ease response time, but the client check shouldn't be the one which is really changing the game status (in the DB) - only the game representation.

This was you get a fast response time, but if somebody decides to hack the client, the only thing that's off is their representation of the game - the server/database still has the real values.

This wouldn't apply only to Player.IO multiplayer services, but to any other kind of server too, I guess.
User avatar
TobiasW
 
Posts: 59
Joined: August 29th, 2010, 12:31 am

Re: Facebook Games - Multiplayer

Postby batiali » November 24th, 2010, 4:34 pm

Thanks a lot guys.
It was too explanatory.
So, if we plan to build a facebook game and make profit out of it (using microtransactions for example) we will surely need a secure solution.
Then, I strongly believe there should be a secure example of seedlings example. Right now, it just confuses me and make me say, "is this how fb games are done?". Don't get me wrong player.io crew, this version may be better for the starters, but it becomes confusing after you understand it and since I've never made a facebook game nor a multiplayer one, I need more example to move on.
batiali
 
Posts: 29
Joined: August 11th, 2010, 2:53 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 5:10 pm

I think showing how to make a fully fledged game is asking way too much. The examples they provide are there to show you how to interact between Flash/.NET/Facebook and PlayerIO services and might i say are much more complete than any sample i've found in other API's. They're meant to show how the service works, not to teach us how to make games. When you talk about security, if you're referring to payvault, be assured the transactions are highly secure, if you're referring about the possibility of someone hacking your game, that's totally up to you to prevent it. Even if they made a 100% hack proof sample game, the methods wouldn't apply to other projects.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby TobiasW » November 24th, 2010, 6:04 pm

Basically, "secure" mostly translates down to "let the server decide", which basically means that the server cares the game state and the client only is a visual representation and an interface to trigger server requests.

This would get delays, so you might want to make the client also care about the game state so you get fast(er) responses to player actions.

Basically, it might be like this:

1. Player clicks "Plant seed"
2. Client checks if there is enough energy. If not, output "Not enough energy" - or just have the button disabled anyway
3. If yes, send a message to the server: "PlayerX plantSeed @ position 3|1" and instantly plant the seed on the client - after all, it is just a visual representation, no harm is done if the player cheated here somehow
4. Server gets message, checks if there is enough energy. If yes, it stores the result in the BigDB (or saves that for later). Optionally it might answer the client that it was a success, but that's only needed if there would be any doubts.
5. If no, it might send an error message.
User avatar
TobiasW
 
Posts: 59
Joined: August 29th, 2010, 12:31 am

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 6:54 pm

Not all games need an authoritative server, and even the ones who do, don't need the server to decide everything. PlayerIO services are abstract to the game logic. It's up to you to figure out what you want the server to decide and what you can let the clients handle. There is usually a performance tradeoff between letting the clients or the server take decisions, for example physics are computationally heavy, so you probably don't want the server computing them.
I did not look at the seedling example yet so i don't know how it behaves, from what i understood you're saying calculations are done client-side.That may be the case, what i'm saying is that security is not tied to PlayerIO, but rather to how you implement your game. The samples that come with the API are just that, examples to get you started, they're not meant to be hack proof, tough you can surely make a hack proof game with PlayerIO.
I believe the Asteroids demo project implements a fully authoritative server, so if you really need an example i suggest you take a look at it.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby Henrik » November 24th, 2010, 6:58 pm

batiali wrote:Hey there,

I was just curious about one thing.
Do we need to use multiplayer services of player.io to make a facebook game such as backyard monsters / farmville / treasure isle / games like these?
I know that you need to do it if you want a secure solution, but I wonder if there is any other solution that is half-secure and working.

No, there's no half-way solution. If your game logic executes on a server, it is secure, because you maintain the state and do all checks in an environment that players don't have access to. Any game logic that is executed in the client can be modified by the player, either by modifying the client, or by faking the network traffic, or in lots of other ways.

The way Farmville works is that the Flash client is just a pretty visualization of your game state, and every time you want to do something the client sends a request to the server telling it what you wish to do, and it either sends back an "ok", and modifies the game state, or it sends back "no" and doesn't modify the game state.

I assume that the way those games are implemented is with web requests for all server actions, but there's absolutely no reason that you couldn't do exactly the same using the Multiplayer service of Player.IO. Each client connects to any room, sends messages with requests on how it wishes to modify game state, and receives responses, and ignores any other players that happen to be connected to the same room. There's no fundamental difference between a Flash client doing web requests and getting JSON back, or connecting to a Player.IO multiplayer server and passing messages back and forth.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Facebook Games - Multiplayer

Postby Henrik » November 24th, 2010, 7:12 pm

batiali wrote:First thing that I can think of is to store local time on bigdb / recall it when player joins the game again / calculate the current time - last time / write a logic that processes the time spent away / show & save the results.
The problems are:

No, having a player change his local time is the absolutely easiest way to cheat, and even if you only rely on server times instead of client times, you still haven't closed the biggest security hole, namely that the client is allowed to change the state in BigDB.

If you trust the client to calculate a new game state given a time interval, and save that new state to BigDB, then I can make a client that impersonates your real client, calculates a much better game state, and saves that to BigDB. It doesn't matter how much obscurity you add, if the client is allowed to save state, anyone can save whatever.

Now, obscurity might be good enough for your game, if you save the state of the world as a weird binary blob it's harder to figure out how to modify it, etc. Good enough for a prototype or beta version of a game. But if you plan on growing really big and earning money on your game, you have to make it completely secure.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 7:13 pm

Henrik wrote:The way Farmville works is that the Flash client is just a pretty visualization of your game state, and every time you want to do something the client sends a request to the server telling it what you wish to do, and it either sends back an "ok", and modifies the game state, or it sends back "no" and doesn't modify the game state.


In fact Farmville ain't just a fancy client. I "studied" Farmville in depth once, and i found out there's many things they don't store server side. For example, the character position is never saved on the server so if you refresh the page, you're always teleported to the same default position. Furthermore the character position on the client can easily be hacked, and you can do stuff like teleport. Even the timer that says "Harvesting" that usually takes 1 second and makes you wait, is handled client side. If you use cheat engine with the speed hack you can essentially run and harvest 20 times faster.
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby fox1980 » November 24th, 2010, 7:16 pm

batiali wrote:No, having a player change his local time is the absolutely easiest way to cheat, and even if you only rely on server times instead of client times, you still haven't closed the biggest security hole, namely that the client is allowed to change the state in BigDB.


The client is only allowed to do modifications on BigDB tables if you let it, there's permission settings on the admin panel that will allow only the server to make changes to BigDB.

See this page:
http://playerio.com/features/bigdb/

read the part where it says "Access management"
fox1980
 
Posts: 206
Joined: April 1st, 2010, 10:39 pm

Re: Facebook Games - Multiplayer

Postby Benjaminsen » November 24th, 2010, 9:46 pm

When we designed the PlayerIO services we did it with the classical social games in mind. As the service stands today you can ki fact build games such as Zynga Poker 100% using Player.IO - something we are actually really proud of.

Ss you are all clearly aware, the largest barrier for doing more classical social games with Player.IO is the that you need to either connect to the Multiplayer server or host your own servers running .NET to update BigDB in a securely. While this might not be the easiest way to do things, it's by no means something that prevents you from building these types of games on top of the platform.

Pretty much no matter what you will save time and money using Player.IO as we provide pre made integrations with both Facebook and Payment providers. Likewise the cost of running a classical Facebook game using Player.IO should very low as the traffic need for those type of games is quite a lot smaller than a realtime multiplayer game.

Thus, if you are serious about using the platform for a larger Facebook game, I would be more than happy to help you get started... As always I can be contacted directly at chris at player.io
Benjaminsen
.IO
 
Posts: 1444
Joined: January 12th, 2010, 11:54 am
Location: Denmark


Return to Sitebox