glitchybunny
commented
3 years ago Tthe easiest solution I can think of is keeping the client-generated ID private with the server, and letting the server generate a public ID for the client, which is used to transmit information to other clients.
Ideally, the public ID would be random or derived from the client's private ID, and the pair stored on the server for the session.
Unless anyone has a better solution that doesn't require giving the server more work?
When a client connects to the server, it uses a client-generated ID to tell the server and other players its position/name/etc data. Since the ID is sent to all other users upon the joining handshake, it's publicly available to everyone else on the server.
It would not be hard for someone to modify their page JS to spoof someone else's ID and cause problems. This will also automatically kick the person currently using the ID, since collisions aren't tolerated by the server.