question

connor-1 avatar image
connor-1 asked

Session Ticket hijacking or man-in-the-middle with UE4 RPCs

I'm setting up a project using a Unreal Engine dedicated server. Currently, players login on their local client with a playfab or other ID, and can connect to the dedicated server when they receive its connection details. However, anyone with the IP and port can connect to that server. The next step in my understanding is to authenticate that the connecting player's session ticket to ensure they're logged in and associated with their playfab ID.

From my reading, it seems that the accepted way to do this is to send the session ticket from the client to the server with a UE4 method. However, UE4's networking by default doesn't have any form of encryption or anything. Wouldn't it be possible for someone using Wireshark or some other tool to see the session ticket, and then use it for nefarious purposes?

I understand that the HTTPS API requests to playfab use SSL, so those are safe, but I'm asking specifically about sending the ticket to the dedicated server OnLogin for the server to authenticate it with an client-to-server RPC.

1. Is this really the expected process for authenticating players on the dedicated server or am I misunderstanding something?

2. Would it be worthwhile for me to investigate setting up some way of encrypting that one very sensitive RPC, Using a public/private key or something?

Player DatamultiplayerAuthenticationunreal
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Gosen Gao avatar image
Gosen Gao answered

1. Is this really the expected process for authenticating players on the dedicated server or am I misunderstanding something?

Yes, using session tickets to authenticate the players is recommended. Here is the API for that: Authentication - Authenticate Session Ticket - REST API (PlayFab Server) | Microsoft Learn.

2. Would it be worthwhile for me to investigate setting up some way of encrypting that one very sensitive RPC, Using a public/private key or something?

If the UE networking won’t encrypt the data, for security reason, it is worth to encrypt the message on the client first. Please select the encryption method you want according to your needs.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Error rendering WebPanel (widgets/consolidation-widget.ftl): org.hibernate.hql.internal.ast.QuerySyntaxException: AvailableConsolidation is not mapped [from AvailableConsolidation up where up.node = :node]