By coyotte508, split from "Akusu's Scripting Emporium" Sounds like a more complicated script is needed to make sure bugs are eliminated. I'd personally have opted for a server builtin password feature. Think a little about this kind of mechanic... -the user clicks connect to a server -the client issues a connect request without supplying a password -the server is password-protected. the client is disconnected with a wrong password message(user sees nothing) -the client pops up a password prompt for the user <during this time the user will NOT be connected to the server> -the user enters the password and clicks connect -the client makes another connect request, issuing a password in the process. the server allows it -the server allows the client in, assigning him a user ID, listing him among the users, allowing chat, battle etc. This secondary design is far more secure, less messy, and faster. Until the client supplies the correct password, it is in no way connected to the server, not appearing in the userlist, not taking up space, and can't see who's inside. With a logon script however, the user is already connected to the server, taking up an ID number and a name and can see the other users. The user is basically already inside, and then artificial means are used to make it look like they're not until they provide the password. Suppose an attacker performs a classic DoS and scripts large number of accounts to login, which end up taking all the user slots and making it impossible for new users to log in. Even though they don't know the password and can't troll the server, they can still disrupt it, just by knowing it's there.
I don't think you can put in a serious password system with what's available, at the VERY BEST coyotte could implement a secondary scripting system that operates at connect/disconnect level with its own custom functions, even then there isn't a way for the client to submit a password to the server until it's fully connected so a software-level implementation WILL have to happen at some point. My biggest notice here is for the security implications of a system which first welcomes you in THEN asks you for a password, as this simulator's popularity increases there will no doubt at some point be a pokehater script kiddie or troll who will fill up all the user slots with bogus accounts that are queued for authentication and don't allow anyone else to login. The only way to fix this hole is to implement a proper and serious password system, and I know it's easier to change code while still fresh than later on so I'm pointing this out now. EDIT: The server I have IS private, again there is nothing stopping an attacker from connecting with a hundred bogus accounts once they know its address. And what about the public servers which use password protection? I am not "that worried about my server's security" rather the security of the software itself and how an attack as simple as this could one day be exploited and run rampant, upsetting many users, and guess what those users will do? They will start signing up on this forum en masse making "UR GAME IS BROKEN FIX IT NAO" threads.
Searinox : Even I can't bypass the AntiDos system. Try DoSing your server, you'll understand. You can choose the maximum number of accounts per IP online and the number of auto kicks before autoban (as well as other options). If that's on then the DoSing bot i did (for testing purposes only :p) can't do anything to the server.
This is where I stop. I can understand the programming and the way scripting and some attacks work, but I can't write an attack myself. XD Even if difficult or impossible to do from one IP, snoopers do exist, and it is also aesthetically unpleasing to see members to the left which aren't logged in.
Well. Everyone is logged in directly for now. Also even if they'd have multiple IPs all would get banned fairly quickly, so there's no problem there either.