Since playing on servers requires an XBOX live sign in, is a Auth plugin needed now? Like SimpleAuth etc. Just curious and wanted to know.
Yes, never trust the client, they could just use a local server as proxy Also, I think this is a duplicate thread
No playing on server still dosent need XBL, afaik PMMP cant really tell if ppl are logged in to XBL or not and yes they are still needed, until PMMP have built in XBL recognizance
I'm more talking aout when on 1.2 it says you must be logged into Xbox live to connect to a server, so if they don't know the pass or email to a Xbox live acc then they cant use that username. (on a server)
it's like asking someone what's their name are without verifying it best way if you intentionally want to allow everyone to impersonate everyone
because you didnt verify it it's like making this forum only need username the password field is just for show here's a technical overview: the client can join local server with no XBL the client starts a proxy which host as local server client joins the local proxy server the proxy server proxy it to a targeted server
You have to log into Xbl to play on servers, so only the owner who knows the xbl pass could log in, BEFORE they connect to the server, as it is required to play on servers now, then they wouldnt have to enter any pass in the server.
see my updated comment UNLESS the server verifies the XBL auth chains the server wouldnt know, if it's real or not, it would just let it pass like sure the CLIENT requires XBL but what if the client somehow bypasses it? or disable it? unless the server enforces it by verifying it it's nothing it's as good as telling people only use the accounts they own and you know it in classic internet style someone WILL break it if it's only enforced client side
It'll be needed until PMMP officially supports XBL authentication. Personally, I think it's a good thing that Mojang is trying to get everyone to use their authentication system.
debatable the way they are shoving it down, might not be the way i want to get everyone to use my system
It's either that or all servers use their own authentication system which I think isn't very practical or safe for the user (and server).
Like I said, letting the user or server choose can be unsafe. The user will probably use the same password on every server and the servers may not save the passwords in a safe manner.
but this now only can go so far your stand is: user safety is always more important than user choice, thus it's worth it to sacrifice user choice for safety my stand is: user choice is always more important than user safety, thus it's worth it to sacrifice user safety for choice and if no side have a better argument other than repeating the same thing or one side want to accept the other side this will only result in this current discussion begin nothing of value added into this thread back to the argument is that players can choose to use or not use XBL, say if a server only support no XBL? just give that one a pass and find another one! say if a server only support XBL and you dont like that? give that one a pass too!(still possible but less easier which i dont like) say if a server uses no XBL, player are ought to use different passwords as that's literally common sense nowadays(unless they dont care) and server owner should be able to choose an auth system whether it be no auth, server auth, xbl auth
And that's exactly the problem. No one can remember a unique password for every server, so everyone uses the same password for every server. That can result in a player being hacked if their password gets leaked somehow. It's also more practical for the user to just login once to XBL when they install the game than having to login every time they join a server.
yeah, it sounds great on paper, until you remember lots of servers will simply use username hacks and their old auth systems. I personally think it's an asshole move. it's absolute hell for people who have previous saved data by plugins for users. The decision to force Xbox Live auth should be left to the server owner. TL;DR: you can't trust the client, and PocketMine-MP does not (yet) verify the authenticity of the login. A player with a LAN proxy can easily circumvent the forced XBL auth.
I'm happy they're finally making the move because I feel like this is how is should've been from the start (using Mojang's own auth system, not XBL but whatever). They had to make the transition at one point, right? Agreed. What servers should (obviously) do is keep using their own authentication system until PocketMine can verify players using XBL. And then find a way to transfer data...
I agree with @dktapps and @Thunder33345 on this. Personally, I think this should be about choice. Servers for the Java edition of Minecraft do have the ability to not use Mojang auth (so people who play "for free" can join) but this (while similar) is different. You're not forced to login to XBox to play at all, but just for multiplayer. It's a terrible thing in my opinion, as though it takes away the choice of the user. The player and server owner should be the ones to decide how they are confirmed by the system to not be a fraud. If they want to use the XBox, than go ahead. If you want to disconnect from it and use your own, than do so! But by forcing XBox auth, it's taking away that freedom. It's probably safe to assume that the main reason for the developors doing this, is not for simplicity, but simply to support XBox Live. After all, thy're both Microsoft products