So the issue is that since we're using Cemetech as an authentication server, and the game as a whole runs on different user hosted servers, we have 3 different client-server models operating that need to interact without compromising Cemetech login information or compromising the security of SAX or allowing unauthenticated individuals to use the name of registered usernames.

TBG servers connect to Cemetech, and receive a server id (public identification) and server key (private authentication). They must send a heartbeat at LEAST every 180 seconds so that Cemetech is aware of their presence. Players log in and receive a session id (just like they normally would if they were signing in to the forum). When they connect to a server they send both their username and a hashed copy of their SID. The server runs these by Cemetech, along with it's own key+id (for identification) and if it's a valid pair, adds it to a database table of users connected to each server (allowing chat messages involving that user/server pair to be sent to SAX), and reports back to the server on whether or not the username/hashed-SID combo was valid. If it was INVALID, then the server disconnects the user with a message telling them they must be logged in to Cemetech to play. Otherwise it just adds them to the game and sends it's server id for use in chat scripts. Notice that the player and server do not have to trust each other with any information that could be used to impersonate the other in interactions with Cemetech. Likewise Cemetech doesn't have to trust the players or the servers with any information other than validating or invalidating each query.

The last step of this is to add unauthenticated fallbacks for the cases when Cemetech is down (use the Garage Games master server + Torque's messaging capabilities instead of SAX) or to allow unauthenticated LAN play.[/i]

So if i understood it correctly, you will have to register in Cemetech and login somehow to play the game? Well... Also you said that we still can use GG Master Server, does it mean we can change this manually so we can play on GG Master Server when we want to? :P

How does cemetech SAX authenticate the message, I am a little confused on that. Also does the client or the game server send the SAX message to cemetech?

No, you need to register with Cemetech once, but your TBG will take care of logging you into Cemetech.

I still need to decide that actually, but either way it's set up so that users can ONLY send messages that look like they're from the server they are connected to and servers can ONLY send messages related to the users connected to them.



You will have to register with Cemetech to use any of the community features such as the mod repository, model sharing, nickname protection, or inter-server chat. If you don't want those abilities, you don't need an account. You'll automatically notify the GG Master Server that your server is online, but the default TBG setup will be to ignore the GG Master Server when looking for games, unless Cemetech is offline.

We should also give the player the option to turn off SAX, so they don't see or send messages over it, limiting them to the server he's in.

Actually, maybe we could have a separate text box for SAX conversations (I mean, a lot of stuff you chat about is only relevant to your server - and you might not want random conversations on Cemetech to interfere with your server chatting, and vice versa)

This isn't a bad idea actually. I think I'll make SAX handled client side.