[wups]

I don't know if this is fixed in 0.3z but on my server a hacker can somehow join the server then connect multiple accounts using the same id and even name! that opened countless ways of making money and, well, broke the server.
If this is fixed in 0.3z please let me now ASAP, else, address this issue quickly.
Some logs:

Quote:

[19:00:24] [join] Peter has joined the server (202:IP1) [19:02:26] [join] Peter has joined the server (208:IP1) // notice there were no leaving messages inbetween. Same name, different ID [19:03:06] [part] Peter has left the server (208:1) // he left? [19:03:55] [join] Peter has joined the server (172:IP1) // comes again with the different id(notice that id 202 is still connected) [19:05:46] [join] Peter has joined the server (37:IP1) // another id [19:06:46] [join] John has joined the server (37:IP1) // diferent name, same ID and IP [19:06:50] [part] John has left the server (37:1) [19:07:10] [join] Peter has joined the server (37:IP1) // and so on.. there are NO disconnect logs of the initial ids

there were NO name changing logs.
And i found a thread about it after writing this whole thing: https://sampforum.blast.hk/showthread.php?tid=474358

P.S. No need to tell me that this can be avoided script-wise. It's a bug and it belongs here and also pretty dangerous.
P.S.S. What name does GetPlayerName return if a hacker changes his name with cheats?

[Konstantinos]

It spoofs OnPlayerConnect callback and a solution was given in another thread: https://sampforum.blast.hk/showthread.php?tid=479388

[wups]

Quote:

Originally Posted by Konstantinos It spoofs OnPlayerConnect callback and a solution was given in another thread: https://sampforum.blast.hk/showthread.php?tid=479388

Thanks a lot! Still the problem of connecting with different ids persists. As far as I can see in that script it only deals with using the same ids. There still needs to be an anti-namechange hack.

[Richie©]

Keep track of their legit name after login, i store playername in var and it only changes on legit name changes by the server. Account ID based saving also benefits.
If you do it like that, alot of ways to fuck up stats is eliminated. (Unless they know pw of a players account)

[Pottus]

If I see this happening on my server I will surely make a patch but it has not yet so there isn't much I want to do yet until I can confirm it myself.

@Edit 5 minute patch, make sure this is included before anything else is included in your gamemode that way this patch is first in the chain of hooks and will prevent OnPlayerConnect() from actually being processed!

pawn Код:

#include <YSI\y_iterate>

static Iterator:ConnectIter<MAX_PLAYERS>;
static LoginNames[MAX_PLAYERS][MAX_PLAYER_NAME+1];
static bool:ProcessDisconnect[MAX_PLAYERS] = { true, ...};

public OnPlayerConnect(playerid)
{
    if(Iter_Contains(ConnectIter, playerid))
    {
        // Player was already connected! (Kick, ban, etc)
        return 1;
    }
    else
    {
        Iter_Add(ConnectIter, playerid);
        GetPlayerName(playerid, LoginNames[playerid], MAX_PLAYER_NAME+1);
        foreach(new i : ConnectIter)
        {
            if(i == playerid) continue;
            if(!strcmp(LoginNames[playerid], LoginNames[i]))
            {
                // Player name was already connected! (Kick, ban, etc)
                // No need to do any disconnect code since no connection code was done
                ProcessDisconnect[playerid] = false;
                return 1;
            }
        }
    }
    
    if (funcidx("AntiDL_OnPlayerConnect") != -1) return CallLocalFunction("AntiDL_OnPlayerConnect", "i", playerid);
    return 1;
}

#if defined _ALS_OnPlayerConnect
    #undef OnPlayerConnect
#else
    #define _ALS_OnPlayerConnect
#endif
#define OnPlayerConnect AntiDL_OnPlayerConnect

forward AntiDL_OnPlayerConnect(playerid);

// Remove any iterators
public OnPlayerDisconnect(playerid, reason)
{
    Iter_Remove(ConnectIter, playerid);
    if (funcidx("AntiDL_OnPlayerDisconnect") != -1 && ProcessDisconnect[playerid] == true) return CallLocalFunction("AntiDL_OnPlayerDisconnect", "ii", playerid, reason);
    ProcessDisconnect[playerid] = true;
    return 1;
}

#if defined _ALS_OnPlayerDisconnect
    #undef OnPlayerDisconnect
#else
    #define _ALS_OnPlayerDisconnect
#endif
#define OnPlayerDisconnect AntiDL_OnPlayerDisconnect

forward AntiDL_OnPlayerDisconnect(playerid, reason);

[wups]

The script is good tho you should make some adjustments and release it in the include section, not many server owners will see it here.

[Pottus]

Quote:

Originally Posted by wups The script is good tho you should make some adjustments and release it in the include section, not many server owners will see it here.

I'm sure they will find it here or someone will customize their own it's pretty simple I think most scripters could patch this easily.

[Misiur]

@[uL]Pottus: Hey, the default (y_iterate) Player array works exactly as your ConnectIter, so I'd suggest using it instead.

[Pottus]

Quote:

Originally Posted by Misiur @[uL]Pottus: Hey, the default (y_iterate) Player array works exactly as your ConnectIter, so I'd suggest using it instead.

Bad idea, we want to do this outside of anything internal and we also want to make sure this is done first so the gamemode will not even get a chance to process callbacks this makes implementation fool proof that will work with any script. The player iterator is not designed to handle this kind of event if you read the code in y_iterate there is absolutely no provisions in place for checking connection spoofing. So it doesn't work exactly the same as y_iterate your suggestion doesn't fit the dynamics of the problem unfortunately.