A single server password is too limiting... if someone leaks the password then all the pussy cheaters can get in. Worse, it's hard to tell who leaked it. And it takes some time to get the new server password to everyone.

A better system would be individual username / password logins... then if someone leaks their login, you know exactly which individual user leaked it, you can delete them and noone else has to suffer.

Would such a system be possible through a mod?

Limited Admin supports 50 user/pass names. So you can (like I have) setup individual usernames for specific people.

Well, i never thought someone would mention it but since its out, that is what i believe was more important then SemiAdmin. I will announce LimitLogin 0.5 in very short time. Just need to tweak user management cuz its a bit complex right now.

Hmmm, maybe this is what you were talking about... Looking forward to hearing more about it.

Remember to test it with tactical ops... :P

Humm .. i will need to check with Shag for that since the only way to really support username/password login is to embed it with the game class.

I'll try to work it such that it can be plugged-in easily and not restrictive, not sure if it will work. But worst case, i'll have a LimitTOLogin :)

Oh yeah another idea :)

How about support for distributed user/pass database?

Eg if you are running LimitLogin, you can tell it to contact a trusted central server of your choice and if a user is not found in your local database, it can query the central server for authentication.

That way, trusted groups of servers can set up trusted shared databases...

Already on the works, this is what is taking me a bit longer.

But i must admit you added a little twist to it that i didnt think about. I just wonder if it really makes sense.

Well it creates a strong disincentive for cheaters... since they know if they are caught cheating they will not just be banned from one server, but from all servers using the central database.

Makes sense to me :D

Oops, i guess i was writing what i was thinking :)

What i wondered about was if it made sense to have a dual system. It seems most likely that your bank of username/password will be different from a central one. If you're going to have a personal user list, don't try to match it with the centralized one. If you go centralized, don't use a personal list. (Except maybe for Admins ?)

I dont see why you couldnt do both... why not let the admin choose how they want to run their own server :)

Makes sense to me that if a user is not found on the central server, it would check the local database... or vice versa :D

Then it will check against a database of "trusted" players, as well as your own personal server database.

So you would have: Centralized db only, Local db only, or Centralized+Local db...

Also an option to check against multiple central servers maybe?

Hmm im getting a little overly excited over this mod :D

Ok, maybe i don't understand how far centralized go for you.

Say, i register for your server(s), and i use "Eric" as my username, then i find another cluster of servers and i try to register "Eric" but someone has taken it. I then need to register under "Eric2" for this one. So, if you check in your database, i'm listed under "Eric", on the Central Database, i'm listed under "Eric" and thats fine, but then, when i connect to one of the server in the other cluster, it can't compare to the centralized server because my name is different from the central one.

There might be workarounds, but nothing really simple unless someone decides he takes care of a fully central database.

Now, see it a different way. All i expect to receive from the "Validation Service" is this: "Allowed" or "Not Allowed". How you manage your validation service (web, telnet, etc) is kinda up to you. I will have a starting kit that you can use, but you will be able to deal with it however pleases you :)

Now, lets say someone like PlanetUnreal (or GameSpy) decides to provide a centralized database. There is now way all the local clusters will be able to conform to that one ? (or maybe it could become the standard) hehehe.

More ideas :D

Optional regexp matching to redirect to specific servers, eg "[ClanName]*" would validate against clanserver-database.cjb.net etc etc

This would stop clan impostors...

Of course this matching could be done on the database server side too... the database server could decide how to cascade authentications and make the hard decisions there. :P

Yeah, go ahead and leave it up to the database server to make the decisions. Let the admins hack up whatever kind of server database they want and just have LimitLogon authenticate off that... then they can authenticate however they want to :D

BTW what protocol will LimitLogon use for querying the server? Just http get? eg http://dbserver.bla.com/username=bla?password=bla

Then LimitLogon can return back whatever response it gets to the client eg "You lamer, you are banned for botting" or "contact admin@<hidden> immediately"